# Solved: Troubled withTR/Virtumod.S



## tommy72ca (Sep 6, 2007)

Hi, I came across The Tech Support Guy forum with much frustration trying to save my system from a reformat.
My computer started acting up couple days ago, probably infected with many different types of Trojan and adware. The Task Manager was disabled by the virus, and I was aware of the reboot/shut down menu disappeared. Only thing left was to log off. As a precaution I disconnected the Ethernet cable and manually reboot the system into safe mode. The battle has begun for me and the troublesome virus since then.
I've ran many different anti-spyware/anti-virus programs, and was able to remove most of the problematic infected files. However at last, I wasn't able to remove the "TR/Virtumod.S" as the file seems to be locked.
Here's the part I'm stuck for the scan in system32 folder:

Begin scan in 'C:\WINDOWS\system32'
C:\WINDOWS\system32\sstqr.dll
[DETECTION] Is the Trojan horse TR/Virtumod.S
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!

Here is a log file from HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 12:19:33 AM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\antivir personaledition classic\avnotify.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gozobil.lx.ro
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\RunOnce: [Trojan Remover] "C:\Program Files\Trojan Remover\RMVTRJAN.EXE" /restart
O4 - HKLM\..\RunOnce: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\letyycpa.exe
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176522973505
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\system32\textwareilluminatorbaseProtocol.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

It's late and I'm frustrated without enough knowledge of what to do to get the system back healthy. Any assistance from more knowledge people would be much appreciated.

Thanks
Thomas


----------



## tommy72ca (Sep 6, 2007)

I am getting pop ups under safe mode now, not sure if it's the same trojan virus.
When I tried installing SuperAntispyware, the windows installer said the administrator has set policies to prevent this installation. Is there a way to see what has been changed by the virus?

please help me!


----------



## JSntgRvr (Jul 1, 2003)

Hi, *tommy72ca*. 

Welcome to TSG.








Your *Java* seems to be out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. *Beware it is NOT supported for use in 9x or ME and probably will not install in those systems*

*Ugrading Java*: 

Download the latest version of * Java Runtime Environment (JRE) 6u2*.
Scroll down to where it says "*The J2SE Runtime Environment (JRE) allows end-users to run Java applications*".
Click the "*Download*" button to the right.
Check the box that says: "*Accept License Agreement*".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Please download *VundoFix.exe* to your desktop.

*Note*:* In the event you already have Vundofix, this is a new version that I need you to download*.
Double-click *VundoFix.exe* to run it.
You will receive a message saying vundofix will close and re-open in a minute or less. Click *OK*
When VundoFix re-opens, click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click *OK*.
Turn your computer back on.
Please post the contents of C:\*vundofix.txt* in your next reply.
*Note:* It is possible that *VundoFix* encountered a file it could not remove. In this case, *VundoFix* will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo *button" when VundoFix appears at reboot.

Download ComboFix from *Here* to your Desktop.

*Note*:* In the event you already have Combofix, this is a new version that I need you to download*.

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._)
Under "*Configuration and Preferences*", click the *Preferences* button.
Click the *Scanning Control* tab.
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._
_Scan for tracking cookies._
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen.
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*.
On the left, make sure you check *C:\Fixed Drive*.
On the right, under "*Complete Scan*", choose *Perform Complete Scan*.
Click "*Next*" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*".
Make sure everything has a checkmark next to it and click "*Next*".
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu.
If asked if you want to reboot, click "*Yes*".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._
_Please copy and paste the Scan Log results in your next reply along with a Hijackthis log._

Click *Close* to exit the program.


----------



## tommy72ca (Sep 6, 2007)

First of all, thank you for the reply.

I am unable to uninstall JAVA under Add or Remove programs in normal system boot up.
It stated "The windows installer service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."


----------



## JSntgRvr (Jul 1, 2003)

Download the enclosed folder. Save and extract its contents to the desktop. It is a batch file to rename Windows Installer files. Once extracted, double click on the batch file. The MSDOS window will be displayed for a second. That is normal.

Now go to this link. Download and reinstall Windows Installer 3.1 Ver. 2:

http://www.microsoft.com/downloads/...FC-5F56-4A38-B838-DE776FD4138C&displaylang=en


----------



## tommy72ca (Sep 6, 2007)

I have tried to rename the files per microsoft support page prior to your reply post.
Yet things are still the same after i followed through your instructions.
Anything else I could do to help you understand the issue better?


----------



## tommy72ca (Sep 6, 2007)

VundoFix V6.5.8

Checking Java version...

Scan started at 1:18:19 PM 9/6/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...


----------



## JSntgRvr (Jul 1, 2003)

Ok. Skip JAVA and continue with the rest. We can come back to it later.


----------



## tommy72ca (Sep 6, 2007)

ComboFix 07-08-30.3 - "Thomas" 2007-09-06 13:26:34.1 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.538 [GMT -7:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\network monitor
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\drivers\sfsync02.sys

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_SFSYNC02
-------\core
-------\DomainService
-------\sfsync02

((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 )))))))))))))))))))))))))))))))

2007-09-06 13:23	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-09-06 13:18 d--------	C:\VundoFix Backups
2007-09-06 01:53 d--------	C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-09-05 23:47 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-09-05 21:24	1,986,254	--ahs----	C:\WINDOWS\system32\rqtss.bak1
2007-09-05 18:16	1,986,294	--a------	C:\WINDOWS\system32\rqtss.bak2.ren
2007-09-05 17:52 d--------	C:\WINDOWS\pss
2007-09-05 17:39 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-09-05 16:33 d--------	C:\DOCUME~1\Thomas\APPLIC~1\Simply Super Software
2007-09-05 16:22 d-a------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-05 16:21	77,312	--a------	C:\WINDOWS\system32\ztvunace26.dll
2007-09-05 16:21	75,264	--a------	C:\WINDOWS\system32\unacev2.dll
2007-09-05 16:21	69,632	--a------	C:\WINDOWS\system32\ztvcabinet.dll
2007-09-05 16:21	162,304	--a------	C:\WINDOWS\system32\ztvunrar36.dll
2007-09-05 16:21	153,088	--a------	C:\WINDOWS\system32\UNRAR3.dll
2007-09-05 16:21 d--------	C:\Program Files\Trojan Remover
2007-09-05 16:21 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Simply Super Software
2007-09-05 16:21 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Simply Super Software
2007-09-04 22:20	3,968	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-04 13:10	244,832	--a------	C:\WINDOWS\system32\sstqr.VIR
2007-09-04 13:10	1,987,624	--ahs----	C:\WINDOWS\system32\rqtss.ini.ren
2007-09-04 13:10	1,986,254	--a------	C:\WINDOWS\system32\rqtss.bak1.ren
2007-09-04 13:07 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft
2007-09-04 13:05 d--hs----	C:\WINDOWS\VGhvbWFzIFRzYWk
2007-09-04 13:05 d--------	C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-09-04 13:04 d--------	C:\WINDOWS\Web Download
2007-09-03 12:28 d--------	C:\Program Files\BitComet
2007-09-03 10:06 d--------	C:\DOCUME~1\Thomas\APPLIC~1\Uniblue
2007-09-02 13:55 d--------	C:\Program Files\PPLive
2007-09-02 13:55 d--------	C:\DOCUME~1\Thomas\APPLIC~1\PPLive
2007-08-18 20:44 d--------	C:\DOCUME~1\Thomas\APPLIC~1\Yahoo!
2007-08-16 05:42 d--------	C:\Program Files\Audacity
2007-08-15 14:12 d--------	C:\DOCUME~1\Thomas\APPLIC~1\atitray
2007-08-15 13:23 d--------	C:\Program Files\ATITool
2007-08-08 23:46 d--------	C:\DOCUME~1\Thomas\DoctorWeb
2007-08-08 23:10 d--------	C:\Program Files\CCleaner
2007-08-08 22:05 d--------	C:\WINDOWS\ERUNT
2007-08-08 19:35 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\LightScribe
2007-08-06 01:35 d--------	C:\Program Files\WinISD

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-15 14:41	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-09-06 01:53	76560	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-06 01:33	---------	d--------	C:\Program Files\Windows Media Connect 2
2007-09-04 13:09	---------	d--------	C:\Program Files\SlySoft
2007-09-04 11:47	359808	--a------	C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-09-03 10:32	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\.BitTornado
2007-09-02 23:31	---------	d--------	C:\Program Files\Common Files\Scanner
2007-09-02 13:55	---------	d--------	C:\Program Files\MSN Messenger
2007-08-16 02:38	---------	d--------	C:\Program Files\Common Files\logishrd
2007-08-15 12:19	359808	--a------	C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-08-14 02:32	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\dvdcss
2007-08-11 18:40	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-08-08 19:36	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\Ahead
2007-08-06 16:00	---------	d--------	C:\Program Files\Logitech
2007-08-04 19:35	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-08-01 10:42	952	--ahs----	C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-31 15:20	---------	d--------	C:\Program Files\Common Files\Symantec Shared
2007-07-31 15:17	---------	d--------	C:\Program Files\Common Files\LightScribe
2007-07-31 15:17	---------	d--------	C:\Program Files\Common Files\Ahead
2007-07-31 15:11	---------	d--------	C:\Program Files\Nero
2007-07-31 15:11	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-07-31 15:06	---------	d--------	C:\Program Files\Ahead
2007-07-31 02:12	---------	d--------	C:\Program Files\MSXML 4.0
2007-07-30 20:07	---------	d--------	C:\Program Files\DAEMON Tools
2007-07-30 19:19	92504	--a------	C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19	549720	--a------	C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19	53080	--a------	C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19	43352	--a------	C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19	325976	--a------	C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19	203096	--a------	C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19	1712984	--a------	C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18	33624	--a------	C:\WINDOWS\system32\wups.dll
2007-07-30 18:00	---------	d--------	C:\Program Files\Norton Security Scan
2007-07-30 11:27	---------	d--------	C:\Program Files\iSofter
2007-07-30 11:21	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\BSplayer Pro
2007-07-29 21:46	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\MSN6
2007-07-29 21:46	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
2007-07-28 17:11	682232	--a------	C:\WINDOWS\system32\drivers\sptd.sys
2007-07-28 16:51	---------	d--------	C:\Program Files\Monkey's Audio
2007-07-28 14:14	---------	d--------	C:\DOCUME~1\Hua\APPLIC~1\Logitech
2007-07-27 14:35	---------	d--------	C:\Program Files\Lavalys
2007-07-26 16:39	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\ppStream
2007-07-26 16:32	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\Google
2007-07-22 23:45	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\Logitech
2007-07-22 23:42	0	--ah-----	C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-07-22 23:42	0	--ah-----	C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-07-22 23:41	---------	d--------	C:\Program Files\Common Files\Logitech
2007-07-22 23:41	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logitech
2007-07-14 13:38	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools
2007-07-11 21:49	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logishrd
2007-07-06 02:30	---------	d--------	C:\Program Files\Enginuity
2007-07-05 23:07	---------	d--------	C:\Program Files\OpenECU
2007-07-05 23:07	---------	d--------	C:\Program Files\DIFX
2007-06-25 23:08	1104896	--a------	C:\WINDOWS\system32\msxml3.dll
2007-06-19 06:31	282112	--a------	C:\WINDOWS\system32\gdi32.dll
2007-06-13 03:23	1033216	--a------	C:\WINDOWS\explorer.exe
2007-04-13 22:17	774144	--a------	C:\Program Files\RngInterstitial.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFB5CA51-1D7A-4FEC-904A-2AAA21DC6EA4}]
C:\WINDOWS\system32\sstqr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E271F4E9-D46E-4C7A-8608-AFDD4A87E582}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:31]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 10:52]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-05-17 10:53]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 C:\WINDOWS\KHALMNPR.Exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-08-29 20:30]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-09-05 17:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\sstqr

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\PStrip.sys
S3 NTSIM;NTSIM;\??\C:\WINDOWS\system32\ntsim.sys

Contents of the 'Scheduled Tasks' folder
2007-08-24 22:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job - C:\Program Files\Norton Security Scan\Nss.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-06 13:39:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-06 13:41:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-06 13:41

--- E O F ---


----------



## tommy72ca (Sep 6, 2007)

I have ran the VundoFix and ComboFix the above posts are the individual log files.
So far the system has gotten better than before, seems that the task manager is back along with the shut down/restart menu.
As I mentioned, still not be able to uninstall JAVA nor install SUPERAntiSpyware. They are both stopped by the Windows Installer message.

I appreciate your input and time,
Thomas


----------



## tommy72ca (Sep 6, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 5:13:05 PM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://udn.com/NEWS/main.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gozobil.lx.ro
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BFB5CA51-1D7A-4FEC-904A-2AAA21DC6EA4} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: (no name) - {E271F4E9-D46E-4C7A-8608-AFDD4A87E582} - (no file)
O2 - BHO: (no name) - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176522973505
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\system32\textwareilluminatorbaseProtocol.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


----------



## JSntgRvr (Jul 1, 2003)

Hi, *tommy72ca* 


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *CFScript.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 



> File::
> C:\WINDOWS\system32\rqtss.bak1
> C:\WINDOWS\system32\rqtss.bak2.ren
> C:\WINDOWS\system32\sstqr.VIR
> ...












Once saved, refering to the picture above, drag *CFScript.txt * into *ComboFix.exe*, and post back the resulting report.

Download th enclosed folder. Save and extract its contents to the desktop. It is a batch file to query the registry for restrictions. Once extracted double click on the batch file and post the resulting report.

Let me also see a fresh Hijackthis log.


----------



## tommy72ca (Sep 6, 2007)

ComboFix 07-08-30.3 - "Thomas" 2007-09-06 17:26:31.2 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.567 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Thomas\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.bak2.ren
C:\WINDOWS\system32\sstqr.VIR
C:\WINDOWS\system32\rqtss.ini.ren
C:\WINDOWS\system32\rqtss.bak1.ren
C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.bak1.ren
C:\WINDOWS\system32\rqtss.bak2.ren
C:\WINDOWS\system32\rqtss.ini.ren

((((((((((((((((((((((((( Files Created from 2007-08-07 to 2007-09-07 )))))))))))))))))))))))))))))))

2007-09-06 16:49 d--------	C:\WINDOWS\LastGood
2007-09-06 13:23	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-09-06 13:18 d--------	C:\VundoFix Backups
2007-09-06 01:53 d--------	C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-09-05 23:47 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-09-05 17:52 d--------	C:\WINDOWS\pss
2007-09-05 17:39 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-09-05 16:33 d--------	C:\DOCUME~1\Thomas\APPLIC~1\Simply Super Software
2007-09-05 16:22 d-a------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-05 16:21	77,312	--a------	C:\WINDOWS\system32\ztvunace26.dll
2007-09-05 16:21	75,264	--a------	C:\WINDOWS\system32\unacev2.dll
2007-09-05 16:21	69,632	--a------	C:\WINDOWS\system32\ztvcabinet.dll
2007-09-05 16:21	162,304	--a------	C:\WINDOWS\system32\ztvunrar36.dll
2007-09-05 16:21	153,088	--a------	C:\WINDOWS\system32\UNRAR3.dll
2007-09-05 16:21 d--------	C:\Program Files\Trojan Remover
2007-09-05 16:21 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Simply Super Software
2007-09-05 16:21 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Simply Super Software
2007-09-04 22:20	3,968	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-04 13:07 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft
2007-09-04 13:05 d--hs----	C:\WINDOWS\VGhvbWFzIFRzYWk
2007-09-04 13:05 d--------	C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-09-04 13:04 d--------	C:\WINDOWS\Web Download
2007-09-03 12:28 d--------	C:\Program Files\BitComet
2007-09-03 10:06 d--------	C:\DOCUME~1\Thomas\APPLIC~1\Uniblue
2007-09-02 13:55 d--------	C:\Program Files\PPLive
2007-09-02 13:55 d--------	C:\DOCUME~1\Thomas\APPLIC~1\PPLive
2007-08-18 20:44 d--------	C:\DOCUME~1\Thomas\APPLIC~1\Yahoo!
2007-08-16 05:42 d--------	C:\Program Files\Audacity
2007-08-15 14:12 d--------	C:\DOCUME~1\Thomas\APPLIC~1\atitray
2007-08-15 13:23 d--------	C:\Program Files\ATITool
2007-08-08 23:46 d--------	C:\DOCUME~1\Thomas\DoctorWeb
2007-08-08 23:10 d--------	C:\Program Files\CCleaner
2007-08-08 22:05 d--------	C:\WINDOWS\ERUNT
2007-08-08 19:35 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\LightScribe
2007-08-06 01:35 d--------	C:\Program Files\WinISD

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-15 14:41	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-09-06 01:53	76560	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-06 01:33	---------	d--------	C:\Program Files\Windows Media Connect 2
2007-09-04 13:09	---------	d--------	C:\Program Files\SlySoft
2007-09-04 11:47	359808	--a------	C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-09-03 10:32	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\.BitTornado
2007-09-02 23:31	---------	d--------	C:\Program Files\Common Files\Scanner
2007-09-02 13:55	---------	d--------	C:\Program Files\MSN Messenger
2007-08-16 02:38	---------	d--------	C:\Program Files\Common Files\logishrd
2007-08-15 12:19	359808	--a------	C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-08-14 02:32	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\dvdcss
2007-08-11 18:40	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-08-08 19:36	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\Ahead
2007-08-06 16:00	---------	d--------	C:\Program Files\Logitech
2007-08-04 19:35	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-08-01 10:42	952	--ahs----	C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-31 15:20	---------	d--------	C:\Program Files\Common Files\Symantec Shared
2007-07-31 15:17	---------	d--------	C:\Program Files\Common Files\LightScribe
2007-07-31 15:17	---------	d--------	C:\Program Files\Common Files\Ahead
2007-07-31 15:11	---------	d--------	C:\Program Files\Nero
2007-07-31 15:11	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-07-31 15:06	---------	d--------	C:\Program Files\Ahead
2007-07-31 02:12	---------	d--------	C:\Program Files\MSXML 4.0
2007-07-30 20:07	---------	d--------	C:\Program Files\DAEMON Tools
2007-07-30 19:19	92504	--a------	C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19	549720	--a------	C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19	53080	--a------	C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19	43352	--a------	C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19	325976	--a------	C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19	203096	--a------	C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19	1712984	--a------	C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18	33624	--a------	C:\WINDOWS\system32\wups.dll
2007-07-30 18:00	---------	d--------	C:\Program Files\Norton Security Scan
2007-07-30 11:27	---------	d--------	C:\Program Files\iSofter
2007-07-30 11:21	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\BSplayer Pro
2007-07-29 21:46	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\MSN6
2007-07-29 21:46	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
2007-07-28 17:11	682232	--a------	C:\WINDOWS\system32\drivers\sptd.sys
2007-07-28 16:51	---------	d--------	C:\Program Files\Monkey's Audio
2007-07-28 14:14	---------	d--------	C:\DOCUME~1\Hua\APPLIC~1\Logitech
2007-07-27 14:35	---------	d--------	C:\Program Files\Lavalys
2007-07-26 16:39	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\ppStream
2007-07-26 16:32	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\Google
2007-07-22 23:45	---------	d--------	C:\DOCUME~1\Thomas\APPLIC~1\Logitech
2007-07-22 23:41	---------	d--------	C:\Program Files\Common Files\Logitech
2007-07-22 23:41	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logitech
2007-07-14 13:38	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools
2007-07-11 21:49	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logishrd
2007-06-25 23:08	1104896	--a------	C:\WINDOWS\system32\msxml3.dll
2007-06-19 06:31	282112	--a------	C:\WINDOWS\system32\gdi32.dll
2007-06-13 03:23	1033216	--a------	C:\WINDOWS\explorer.exe
2007-04-13 22:17	774144	--a------	C:\Program Files\RngInterstitial.dll

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

---- Directory of C:\WINDOWS\pss ----

2007-09-06 16:02	211	---------	C:\WINDOWS\pss\boot.ini.backup 
2007-09-02 23:31	231	---------	C:\WINDOWS\pss\system.ini.backup 
2007-05-31 19:32	592	---------	C:\WINDOWS\pss\win.ini.backup

---- Directory of C:\WINDOWS\VGhvbWFzIFRzYWk ----

((((((((((((((((((((((((((((( snapshot_2007-09-06_134056.99 )))))))))))))))))))))))))))))))))))))))))

----a-w 2,890,240 2005-05-04 21:45:32 C:\WINDOWS\system32\msi.dll
-c--a-w 2,890,240 2005-05-04 21:45:32 C:\WINDOWS\system32\dllcache\msi.dll
-c--a-w 78,848 2005-05-04 21:45:36 C:\WINDOWS\system32\dllcache\msiexec.exe
-c--a-w 271,360 2005-05-04 21:45:36 C:\WINDOWS\system32\dllcache\msihnd.dll

----a-w 2,854,400 2007-04-18 16:12:23 C:\WINDOWS\system32\msi.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFB5CA51-1D7A-4FEC-904A-2AAA21DC6EA4}]
C:\WINDOWS\system32\sstqr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E271F4E9-D46E-4C7A-8608-AFDD4A87E582}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:31]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 10:52]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-05-17 10:53]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 C:\WINDOWS\KHALMNPR.Exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-08-29 20:30]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-09-05 17:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\sstqr

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\PStrip.sys
S3 NTSIM;NTSIM;\??\C:\WINDOWS\system32\ntsim.sys

Contents of the 'Scheduled Tasks' folder
2007-08-24 22:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job - C:\Program Files\Norton Security Scan\Nss.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-06 17:28:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-06 17:29:03
C:\ComboFix-quarantined-files.txt ... 2007-09-06 17:29
C:\ComboFix2.txt ... 2007-09-06 13:41

--- E O F ---


----------



## tommy72ca (Sep 6, 2007)

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Policies

HKEY_CURRENT_USER\Software\Policies\Microsoft

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\ca

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\ca\Certificates

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\ca\CRLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\ca\CTLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\AppCompat

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\8.0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\8.0\FeatureLockdown

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\8.0\FeatureLockdown\cDefaultExecMenuItems
tWhiteList	REG_SZ	Close|GeneralInfo|Quit|FirstPage|PrevPage|NextPage|LastPage|ActualSize|FitPage|FitWidth|FitHeight|SinglePage|OneColumn|TwoPages|TwoColumns|ZoomViewIn|ZoomViewOut|ShowHideBookmarks|ShowHideThumbnails|Print|GoToPage|ZoomTo|GeneralPrefs|SaveAs|FullScreen|OpenOrganizer|Scan|Web2PDF:OpnURL|AcroSendMail:SendMail|Spelling:Check Spelling|PageSetup|Find|FindSearch|GoBack|GoForward|FitVisible|ShowHideToolbarEditing|ShowHideToolbarCommenting|ShowHideToolbarEdit|ShowHideToolbarFile|ShowHideToolbarFind|ShowHideToolbarForms|ShowHideToolbarMeasuring|ShowHideToolbarData|ShowHideToolbarPageDisplay|ShowHideToolbarNavigation|ShowHideToolbarPrintProduction|ShowHideToolbarRedaction|ShowHideToolbarBasicTools|ShowHideToolbarTasks|ShowHideToolbarTypewriter|PropertyToolbar|ShowHideArticles|ShowHideFileAttachment|ShowHideAnnotManager|ShowHideFields|ShowHideOptCont|ShowHideModelTree|ShowHideSignatures|InsertPages|ExtractPages|ReplacePages|DeletePages|CropPages|RotatePages|AddFileAttachment|FindCurrentBookmark|BookmarkShowLocation|GoBackDoc|GoForwardDoc|HelpUserGuide|HelpReader

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\8.0\FeatureLockdown\cDefaultLaunchAttachmentPerms
tBuiltInPermList	REG_SZ	version:1|.ade:3|.adp:3|.app:3|.asp:3|.bas:3|.bat:3|.bz:3|.bz2:3|.chm:3|.class:3|.cmd:3|.com:3|.command:3|.cpl:3|.crt:3|.csh:3|.desktop:3|.exe:3|.fxp:3|.gz:3|.hex:3|.hlp:3|.hqx:3|.hta:3|.inf:3|.ini:3|.ins:3|.isp:3|.its:3|.job:3|.js:3|.jse:3|.ksh:3|.lnk:3|.lzh:3|.mad:3|.maf:3|.mag:3|.mam:3|.maq:3|.mar:3|.mas:3|.mat:3|.mau:3|.mav:3|.maw:3|.mda:3|.mde:3|.mdt:3|.mdw:3|.mdz:3|.msc:3|.msi:3|.msp:3|.mst:3|.ocx:3|.ops:3|.pcd:3|.pi:3|.pif:3|.prf:3|.prg:3|.pst:3|.rar:3|.reg:3|.scf:3|.scr:3|.sct:3|.sea:3|.shb:3|.shs:3|.sit:3|.tar:3|.tgz:3|.tmp:3|.url:3|.vb:3|.vbe:3|.vbs:3|.vsmacros:3|.vss:3|.vst:3|.vsw:3|.webloc:3|.ws:3|.wsc:3|.wsf:3|.wsh:3|.zip:3|.zlo:3|.zoo:3|.pdf:2|.fdf:2

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\8.0\FeatureLockdown\cDefaultLaunchURLPerms
tSchemePerms	REG_SZ	version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:2|file:1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Conferencing

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
DontReportInfectionInformation	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\RTC

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\RTC\{A5B45060-354F-4097-A928-5125436C46F1}
DisableServerCheck	REG_DWORD	0x1
LegacyPresence	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\RTC\{A5B45060-354F-4097-A928-5125436C46F1}\CertificatePolicy

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\RTC\{A5B45060-354F-4097-A928-5125436C46F1}\PortRange

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\Certificates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\CRLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\CTLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root\Certificates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root\CRLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root\CTLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverSearching
DontSearchWindowsUpdate	REG_DWORD	0x0
DontPromptForWindowsUpdate	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
EnableAdminTSRemote	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecFilter
description	REG_SZ	Matches all ICMP packets between this computer and any other computer.
name	REG_SZ	ipsecFilter{72385235-70fa-11d1-864c-14a300000000}
ipsecName	REG_SZ	All ICMP Traffic
ipsecID	REG_SZ	{72385235-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B520DC80C82ED111A89E00A0248D302152000000010000000200000000000200000000000A000000490043004D00500000001DEA12CE43CAB241BB4FDAE3066246C00100000000000000FFFFFFFF00000000000000000000000001000000000000000000000000
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{fb16018d-1b85-45fe-b1b9-57e26549cec4}\0SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{ed177b4c-c63f-472f-bbb7-6a88f5497073}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecFilter
description	REG_SZ	Matches all IP packets from this computer to any other computer, except broadcast, multicast, Kerberos, RSVP and ISAKMP (IKE).
name	REG_SZ	ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}
ipsecName	REG_SZ	All IP Traffic
ipsecID	REG_SZ	{7238523a-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B520DC80C82ED111A89E00A0248D30214A00000001000000020000000000020000000000020000000000B3D5AE1241E7AD4C96CA250260F0251B0100000000000000FFFFFFFF00000000000000000000000000000000000000000000000000
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d17c6481-2f78-4a56-8ad7-bcb54a66d40b}\0SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{1215c60c-9a2c-449e-b1ce-cd3bad02f6e5}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385231-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecISAKMPPolicy
name	REG_SZ	ipsecISAKMPPolicy{72385231-70fa-11d1-864c-14a300000000}
ipsecID	REG_SZ	{72385231-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B820DC80C82ED111A89E00A0248D302140010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000003000000000000000000000002000000000000000000000000000000000000000000000000000000020000000000000000000000807000000000000000000000030000000000000000000000010000000000000000000000000000000000000000000000000000000200000000000000000000008070000000000000000000000100000000000000000000000200000000000000000000000000000000000000000000000000000001000000000000000000000080700000000000000000000001000000000000000000000001000000000000000000000000000000000000000000000000000000010000000000000000000000807000000000000000
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385230-70fa-11d1-864c-14a300000000}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecISAKMPPolicy
name	REG_SZ	ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}
ipsecID	REG_SZ	{72385234-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B820DC80C82ED111A89E00A0248D302140010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000003000000000000000000000002000000000000000000000000000000000000000000000000000000020000000000000000000000807000000000000000000000030000000000000000000000010000000000000000000000000000000000000000000000000000000200000000000000000000008070000000000000000000000100000000000000000000000200000000000000000000000000000000000000000000000000000001000000000000000000000080700000000000000000000001000000000000000000000001000000000000000000000000000000000000000000000000000000010000000000000000000000807000000000000000
whenChanged	REG_DWORD	0x462044b6

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385237-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecISAKMPPolicy
name	REG_SZ	ipsecISAKMPPolicy{72385237-70fa-11d1-864c-14a300000000}
ipsecID	REG_SZ	{72385237-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B820DC80C82ED111A89E00A0248D302140010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000003000000000000000000000002000000000000000000000000000000000000000000000000000000020000000000000000000000807000000000000000000000030000000000000000000000010000000000000000000000000000000000000000000000000000000200000000000000000000008070000000000000000000000100000000000000000000000200000000000000000000000000000000000000000000000000000001000000000000000000000080700000000000000000000001000000000000000000000001000000000000000000000000000000000000000000000000000000010000000000000000000000807000000000000000
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385236-70fa-11d1-864c-14a300000000}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{7238523d-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecISAKMPPolicy
name	REG_SZ	ipsecISAKMPPolicy{7238523d-70fa-11d1-864c-14a300000000}
ipsecID	REG_SZ	{7238523d-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B820DC80C82ED111A89E00A0248D302140010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000003000000000000000000000002000000000000000000000000000000000000000000000000000000020000000000000000000000807000000000000000000000030000000000000000000000010000000000000000000000000000000000000000000000000000000200000000000000000000008070000000000000000000000100000000000000000000000200000000000000000000000000000000000000000000000000000001000000000000000000000080700000000000000000000001000000000000000000000001000000000000000000000000000000000000000000000000000000010000000000000000000000807000000000000000
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecNegotiationPolicy
description	REG_SZ	Accepts unsecured communication, but requests clients to establish trust and security methods. Will communicate insecurely to untrusted clients if they do not respond to request.
name	REG_SZ	ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}
ipsecName	REG_SZ	Request Security (Optional)
ipsecID	REG_SZ	{72385233-70fa-11d1-864c-14a300000000}
ipsecNegotiationPolicyAction	REG_SZ	{3f91a81a-7647-11d1-864d-d46a00000000}
ipsecNegotiationPolicyType	REG_SZ	{62f49e10-6c37-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B920DC80C82ED111A89E00A0248D3021940100000500000084030000A086010000000000000000000100000003000000020000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000084030000A08601000000000000000000010000000100000002000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002C010000A08601000000000000000000010000000200000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002C010000A0860100000000000000000001000000010000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{1215c60c-9a2c-449e-b1ce-cd3bad02f6e5}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecNegotiationPolicy
description	REG_SZ	Permit unsecured IP packets to pass through.
name	REG_SZ	ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}
ipsecName	REG_SZ	Permit
ipsecID	REG_SZ	{7238523b-70fa-11d1-864c-14a300000000}
ipsecNegotiationPolicyAction	REG_SZ	{8a171dd2-77e3-11d1-8659-a04f00000000}
ipsecNegotiationPolicyType	REG_SZ	{62f49e10-6c37-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B920DC80C82ED111A89E00A0248D3021040000000000000000
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{fb16018d-1b85-45fe-b1b9-57e26549cec4}\0SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{ed177b4c-c63f-472f-bbb7-6a88f5497073}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecNegotiationPolicy
description	REG_SZ	Accepts unsecured communication, but always requires clients to establish trust and security methods. Will NOT communicate with untrusted clients.
name	REG_SZ	ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}
ipsecName	REG_SZ	Require Security
ipsecID	REG_SZ	{7238523f-70fa-11d1-864c-14a300000000}
ipsecNegotiationPolicyAction	REG_SZ	{3f91a81a-7647-11d1-864d-d46a00000000}
ipsecNegotiationPolicyType	REG_SZ	{62f49e10-6c37-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B920DC80C82ED111A89E00A0248D3021440100000400000084030000A086010000000000000000000100000003000000020000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000084030000A086010000000000000000000100000003000000010000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000084030000A086010000000000000000000100000001000000020000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000084030000A086010000000000000000000100000001000000010000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d17c6481-2f78-4a56-8ad7-bcb54a66d40b}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{936e3831-03f3-4e41-b738-f5045f1fe3e8}
ClassName	REG_SZ	ipsecNegotiationPolicy
name	REG_SZ	ipsecNegotiationPolicy{936e3831-03f3-4e41-b738-f5045f1fe3e8}
ipsecID	REG_SZ	{936e3831-03f3-4e41-b738-f5045f1fe3e8}
ipsecNegotiationPolicyAction	REG_SZ	{8a171dd3-77e3-11d1-8659-a04f00000000}
ipsecNegotiationPolicyType	REG_SZ	{62f49e13-6c37-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B920DC80C82ED111A89E00A0248D3021E40100000600000000000000000000000000000000000000010000000300000002000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000030000000100000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001000000020000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000001000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000020000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4f0566a7-a416-4d4d-a897-3b0c81f91fb5}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{e0642992-3a1f-408b-bda2-88b306083716}
ClassName	REG_SZ	ipsecNegotiationPolicy
name	REG_SZ	ipsecNegotiationPolicy{e0642992-3a1f-408b-bda2-88b306083716}
ipsecID	REG_SZ	{e0642992-3a1f-408b-bda2-88b306083716}
ipsecNegotiationPolicyAction	REG_SZ	{8a171dd3-77e3-11d1-8659-a04f00000000}
ipsecNegotiationPolicyType	REG_SZ	{62f49e13-6c37-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B920DC80C82ED111A89E00A0248D3021E40100000600000000000000000000000000000000000000010000000300000002000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000030000000100000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001000000020000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000001000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000020000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{0f1b4638-c9a0-4bab-9d83-f44844b1ae85}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{f03d6129-e99f-43f5-8eb6-33303770c09c}
ClassName	REG_SZ	ipsecNegotiationPolicy
name	REG_SZ	ipsecNegotiationPolicy{f03d6129-e99f-43f5-8eb6-33303770c09c}
ipsecID	REG_SZ	{f03d6129-e99f-43f5-8eb6-33303770c09c}
ipsecNegotiationPolicyAction	REG_SZ	{8a171dd3-77e3-11d1-8659-a04f00000000}
ipsecNegotiationPolicyType	REG_SZ	{62f49e13-6c37-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B920DC80C82ED111A89E00A0248D3021E40100000600000000000000000000000000000000000000010000000300000002000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000030000000100000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001000000020000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000001000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000020000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{dcbec58e-06fe-4127-89ad-f7f0871fb4bc}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{0f1b4638-c9a0-4bab-9d83-f44844b1ae85}
ClassName	REG_SZ	ipsecNFA
name	REG_SZ	ipsecNFA{0f1b4638-c9a0-4bab-9d83-f44844b1ae85}
ipsecID	REG_SZ	{0f1b4638-c9a0-4bab-9d83-f44844b1ae85}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	00ACBB118D49D111863900A0248D30212A0000000100000005000000020000000000FDFFFFFF0200000000000000000000000000010000000200000000000101010101010101010101010101010101000000050000000000000000
ipsecNegotiationPolicyReference	REG_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{e0642992-3a1f-408b-bda2-88b306083716}
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385230-70fa-11d1-864c-14a300000000}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{1215c60c-9a2c-449e-b1ce-cd3bad02f6e5}
ClassName	REG_SZ	ipsecNFA
name	REG_SZ	ipsecNFA{1215c60c-9a2c-449e-b1ce-cd3bad02f6e5}
ipsecName	REG_SZ	Request Security (Optional) Rule
description	REG_SZ	For all IP traffic, always request security using Kerberos trust. Allow unsecured communication with clients that do not respond to request.
ipsecID	REG_SZ	{1215c60c-9a2c-449e-b1ce-cd3bad02f6e5}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	00ACBB118D49D111863900A0248D30212A0000000100000005000000020000000000FDFFFFFF0200000000000000000000000000010000000200000000000101010101010101010101010101010101000000050000000000000000
ipsecNegotiationPolicyReference	REG_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}
ipsecFilterReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}\0\0
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385230-70fa-11d1-864c-14a300000000}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4f0566a7-a416-4d4d-a897-3b0c81f91fb5}
ClassName	REG_SZ	ipsecNFA
name	REG_SZ	ipsecNFA{4f0566a7-a416-4d4d-a897-3b0c81f91fb5}
ipsecID	REG_SZ	{4f0566a7-a416-4d4d-a897-3b0c81f91fb5}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	00ACBB118D49D111863900A0248D30212A0000000100000005000000020000000000FDFFFFFF0200000000000000000000000000010000000200000000000101010101010101010101010101010101000000050000000000000000
ipsecNegotiationPolicyReference	REG_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{936e3831-03f3-4e41-b738-f5045f1fe3e8}
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d17c6481-2f78-4a56-8ad7-bcb54a66d40b}
ClassName	REG_SZ	ipsecNFA
name	REG_SZ	ipsecNFA{d17c6481-2f78-4a56-8ad7-bcb54a66d40b}
ipsecName	REG_SZ	Require Security
description	REG_SZ	Accepts unsecured communication, but always requires clients to establish trust and security methods. Will NOT communicate with untrusted clients.
ipsecID	REG_SZ	{d17c6481-2f78-4a56-8ad7-bcb54a66d40b}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	00ACBB118D49D111863900A0248D30212A0000000100000005000000020000000000FDFFFFFF0200000000000000000000000000010000000200000000000101010101010101010101010101010101000000050000000000000000
ipsecNegotiationPolicyReference	REG_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}
ipsecFilterReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}\0\0
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{dcbec58e-06fe-4127-89ad-f7f0871fb4bc}
ClassName	REG_SZ	ipsecNFA
name	REG_SZ	ipsecNFA{dcbec58e-06fe-4127-89ad-f7f0871fb4bc}
ipsecID	REG_SZ	{dcbec58e-06fe-4127-89ad-f7f0871fb4bc}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	00ACBB118D49D111863900A0248D30212A0000000100000005000000020000000000FDFFFFFF0200000000000000000000000000010000000200000000000101010101010101010101010101010101000000050000000000000000
ipsecNegotiationPolicyReference	REG_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{f03d6129-e99f-43f5-8eb6-33303770c09c}
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385236-70fa-11d1-864c-14a300000000}\0\0


----------



## tommy72ca (Sep 6, 2007)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{ed177b4c-c63f-472f-bbb7-6a88f5497073}
ClassName	REG_SZ	ipsecNFA
name	REG_SZ	ipsecNFA{ed177b4c-c63f-472f-bbb7-6a88f5497073}
ipsecName	REG_SZ	Permit unsecure ICMP packets to pass through.
description	REG_SZ	Permit unsecure ICMP packets to pass through.
ipsecID	REG_SZ	{ed177b4c-c63f-472f-bbb7-6a88f5497073}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	00ACBB118D49D111863900A0248D30212A0000000100000005000000020000000000FDFFFFFF0200000000000000000000000000010000000200000000000101010101010101010101010101010101000000050000000000000000
ipsecNegotiationPolicyReference	REG_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}
ipsecFilterReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}\0\0
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385230-70fa-11d1-864c-14a300000000}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{fb16018d-1b85-45fe-b1b9-57e26549cec4}
ClassName	REG_SZ	ipsecNFA
name	REG_SZ	ipsecNFA{fb16018d-1b85-45fe-b1b9-57e26549cec4}
ipsecName	REG_SZ	Permit unsecure ICMP packets to pass through.
description	REG_SZ	Permit unsecure ICMP packets to pass through.
ipsecID	REG_SZ	{fb16018d-1b85-45fe-b1b9-57e26549cec4}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	00ACBB118D49D111863900A0248D30212A0000000100000005000000020000000000FDFFFFFF0200000000000000000000000000010000000200000000000101010101010101010101010101010101000000050000000000000000
ipsecNegotiationPolicyReference	REG_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}
ipsecFilterReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}\0\0
whenChanged	REG_DWORD	0x462044b6
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385230-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecPolicy
description	REG_SZ	For all IP traffic, always request security using Kerberos trust. Allow unsecured communication with clients that do not respond to request.
name	REG_SZ	ipsecPolicy{72385230-70fa-11d1-864c-14a300000000}
ipsecName	REG_SZ	Server (Request Security)
ipsecID	REG_SZ	{72385230-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	632120224C4FD111863B00A0248D302104000000302A000000
ipsecISAKMPReference	REG_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385231-70fa-11d1-864c-14a300000000}
whenChanged	REG_DWORD	0x462044b6
ipsecNFAReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{1215c60c-9a2c-449e-b1ce-cd3bad02f6e5}\0SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{ed177b4c-c63f-472f-bbb7-6a88f5497073}\0SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{0f1b4638-c9a0-4bab-9d83-f44844b1ae85}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385236-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecPolicy
description	REG_SZ	Communicate normally (unsecured). Use the default response rule to negotiate with servers that request security. Only the requested protocol and port traffic with that server is secured.
name	REG_SZ	ipsecPolicy{72385236-70fa-11d1-864c-14a300000000}
ipsecName	REG_SZ	Client (Respond Only)
ipsecID	REG_SZ	{72385236-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	632120224C4FD111863B00A0248D302104000000302A000000
ipsecISAKMPReference	REG_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385237-70fa-11d1-864c-14a300000000}
whenChanged	REG_DWORD	0x462044b6
ipsecNFAReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{dcbec58e-06fe-4127-89ad-f7f0871fb4bc}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecPolicy
description	REG_SZ	For all IP traffic, always require security using Kerberos trust. Do NOT allow unsecured communication with untrusted clients.
name	REG_SZ	ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}
ipsecName	REG_SZ	Secure Server (Require Security)
ipsecID	REG_SZ	{7238523c-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	632120224C4FD111863B00A0248D302104000000302A000000
ipsecISAKMPReference	REG_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{7238523d-70fa-11d1-864c-14a300000000}
whenChanged	REG_DWORD	0x462044b6
ipsecNFAReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d17c6481-2f78-4a56-8ad7-bcb54a66d40b}\0SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{fb16018d-1b85-45fe-b1b9-57e26549cec4}\0SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4f0566a7-a416-4d4d-a897-3b0c81f91fb5}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
ExecutableTypes	REG_MULTI_SZ	ADE\0ADP\0BAS\0BAT\0CHM\0CMD\0COM\0CPL\0CRT\0EXE\0HLP\0HTA\0INF\0INS\0ISP\0LNK\0MDB\0MDE\0MSC\0MSI\0MSP\0MST\0OCX\0PCD\0PIF\0REG\0SCR\0SHS\0URL\0VB\0WSC\0\0
TransparentEnabled	REG_DWORD	0x1
DefaultLevel	REG_DWORD	0x40000
AuthenticodeEnabled	REG_DWORD	0x0
PolicyScope	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
Description	REG_SZ	Stop the download of this file
FriendlyName	REG_SZ	Mdac11.cab
SaferFlags	REG_DWORD	0x0
HashAlg	REG_DWORD	0x8003
ItemData	REG_BINARY	5EAB304F957A49896A006C1C31154015
LastModified	REG_NONE	85C434DC19A2C201
ItemSize	REG_NONE	0B03000000000000

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
Description	REG_SZ	Stop the download of this file
FriendlyName	REG_SZ	mdac20.cab
SaferFlags	REG_DWORD	0x0
HashAlg	REG_DWORD	0x8003
ItemData	REG_BINARY	67B0D48B343A3FD3BCE9DC646704F394
LastModified	REG_NONE	038A39DC19A2C201
ItemSize	REG_NONE	0502000000000000

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
Description	REG_SZ	Stop the download of this file
FriendlyName	REG_SZ	mdac20_a.cab
SaferFlags	REG_DWORD	0x0
HashAlg	REG_DWORD	0x8003
ItemData	REG_BINARY	327802DCFEF8C893DC8AB006DD847D1D
LastModified	REG_NONE	BE7745DC19A2C201
ItemSize	REG_NONE	9603000000000000

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
Description	REG_SZ	Stop the download of this file
FriendlyName	REG_SZ	_msadc10.cab
SaferFlags	REG_DWORD	0x0
HashAlg	REG_DWORD	0x8003
ItemData	REG_BINARY	BD9A2ADB42EBD8560E250E4DF8162F67
LastModified	REG_NONE	814F3EDC19A2C201
ItemSize	REG_NONE	E500000000000000

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
Description	REG_SZ	Stop the download of this file
FriendlyName	REG_SZ	msadc11.cab
SaferFlags	REG_DWORD	0x0
HashAlg	REG_DWORD	0x8003
ItemData	REG_BINARY	386B085F84ECF669D36B956A22C01E80
LastModified	REG_NONE	40B240DC19A2C201
ItemSize	REG_NONE	7201000000000000

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}
Description	REG_SZ	
SaferFlags	REG_DWORD	0x0
ItemData	REG_EXPAND_SZ	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*
LastModified	REG_NONE	70076FB2527EC701

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Update

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveAutoRun	REG_DWORD	0x3ffffff
NoDriveTypeAutoRun	REG_DWORD	0xff

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F}	REG_DWORD	0x1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}	REG_DWORD	0x40000021
{0DF44EAA-FF21-4412-828E-260A8728E7F1}	REG_DWORD	0x20

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system
dontdisplaylastusername	REG_DWORD	0x1
legalnoticecaption	REG_SZ	
legalnoticetext	REG_SZ	
shutdownwithoutlogon	REG_DWORD	0x1
undockwithoutlogon	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun	REG_DWORD	0x91
ClearRecentDocsOnExit	REG_DWORD	0x1
NoRecentDocsMenu	REG_DWORD	0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell	REG_DWORD	0x1
DefaultDomainName	REG_SZ	HOMEUSA-THOMAS
DefaultUserName	REG_SZ	Thomas
LegalNoticeCaption	REG_SZ	
LegalNoticeText	REG_SZ	
PowerdownAfterShutdown	REG_SZ	0
ReportBootOk	REG_SZ	1
Shell	REG_SZ	Explorer.exe
ShutdownWithoutLogon	REG_SZ	0
System	REG_SZ	
Userinit	REG_SZ	C:\WINDOWS\system32\userinit.exe,
VmApplet	REG_SZ	rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota	REG_DWORD	0xffffffff
allocatecdroms	REG_SZ	0
allocatedasd	REG_SZ	0
allocatefloppies	REG_SZ	0
cachedlogonscount	REG_SZ	10
forceunlocklogon	REG_DWORD	0x0
passwordexpirywarning	REG_DWORD	0xe
scremoveoption	REG_SZ	0
AllowMultipleTSSessions	REG_DWORD	0x1
UIHost	REG_EXPAND_SZ	logonui.exe
LogonType	REG_DWORD	0x1
Background	REG_SZ	0 0 0
DebugServerCommand	REG_SZ	no
SFCDisable	REG_DWORD	0x0
WinStationsDisabled	REG_SZ	0
HibernationPreviouslyEnabled	REG_DWORD	0x1
ShowLogonOptions	REG_DWORD	0x0
AltDefaultUserName	REG_SZ	Thomas
AltDefaultDomainName	REG_SZ	HOMEUSA-THOMAS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}
<NO NAME>	REG_SZ	Microsoft Disk Quota
NoMachinePolicy	REG_DWORD	0x0
NoUserPolicy	REG_DWORD	0x1
NoSlowLink	REG_DWORD	0x1
NoBackgroundPolicy	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1
PerUserLocalSettings	REG_DWORD	0x0
RequiresSuccessfulRegistry	REG_DWORD	0x1
EnableAsynchronousProcessing	REG_DWORD	0x0
DllName	REG_EXPAND_SZ	dskquota.dll
ProcessGroupPolicy	REG_SZ	ProcessGroupPolicy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}
<NO NAME>	REG_SZ	Internet Explorer Zonemapping
DllName	REG_EXPAND_SZ	iedkcs32.dll
ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyForZoneMap
NoGPOListChanges	REG_DWORD	0x1
RequiresSucessfulRegistry	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy	REG_SZ	SceProcessSecurityPolicyGPO
GenerateGroupPolicy	REG_SZ	SceGenerateGroupPolicy
ExtensionRsopPlanningDebugLevel	REG_DWORD	0x1
ProcessGroupPolicyEx	REG_SZ	SceProcessSecurityPolicyGPOEx
ExtensionDebugLevel	REG_DWORD	0x1
DllName	REG_EXPAND_SZ	scecli.dll
<NO NAME>	REG_SZ	Security
NoUserPolicy	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1
EnableAsynchronousProcessing	REG_DWORD	0x1
MaxNoGPOListChangesInterval	REG_DWORD	0x3c0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}
ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyEx
GenerateGroupPolicy	REG_SZ	GenerateGroupPolicy
ProcessGroupPolicy	REG_SZ	ProcessGroupPolicy
DllName	REG_EXPAND_SZ	iedkcs32.dll
<NO NAME>	REG_SZ	Internet Explorer Branding
NoSlowLink	REG_DWORD	0x1
NoBackgroundPolicy	REG_DWORD	0x0
NoGPOListChanges	REG_DWORD	0x1
NoMachinePolicy	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy	REG_SZ	SceProcessEFSRecoveryGPO
DllName	REG_EXPAND_SZ	scecli.dll
<NO NAME>	REG_SZ	EFS recovery
NoUserPolicy	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1
RequiresSuccessfulRegistry	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}
<NO NAME>	REG_SZ	Software Installation
DllName	REG_EXPAND_SZ	appmgmts.dll
ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyObjectsEx
GenerateGroupPolicy	REG_SZ	GenerateGroupPolicy
NoBackgroundPolicy	REG_DWORD	0x0
RequiresSucessfulRegistry	REG_DWORD	0x0
NoSlowLink	REG_DWORD	0x1
PerUserLocalSettings	REG_DWORD	0x1
EventSources	REG_MULTI_SZ	(Application Management,Application)\0(MsiInstaller,Application)\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
DLLName	REG_SZ	Ati2evxx.dll
Asynchronous	REG_DWORD	0x0
Impersonate	REG_DWORD	0x1
Lock	REG_SZ	AtiLockEvent
Logoff	REG_SZ	AtiLogoffEvent
Logon	REG_SZ	AtiLogonEvent
Disconnect	REG_SZ	AtiDisConnectEvent
Reconnect	REG_SZ	AtiReConnectEvent
Safe	REG_DWORD	0x0
Shutdown	REG_SZ	AtiShutdownEvent
StartScreenSaver	REG_SZ	AtiStartScreenSaverEvent
StartShell	REG_SZ	AtiStartShellEvent
Startup	REG_SZ	AtiStartupEvent
StopScreenSaver	REG_SZ	AtiStopScreenSaverEvent
Unlock	REG_SZ	AtiUnLockEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
Asynchronous	REG_DWORD	0x0
Impersonate	REG_DWORD	0x0
DllName	REG_EXPAND_SZ	crypt32.dll
Logoff	REG_SZ	ChainWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
Asynchronous	REG_DWORD	0x0
Impersonate	REG_DWORD	0x0
DllName	REG_EXPAND_SZ	cryptnet.dll
Logoff	REG_SZ	CryptnetWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
DLLName	REG_SZ	cscdll.dll
Logon	REG_SZ	WinlogonLogonEvent
Logoff	REG_SZ	WinlogonLogoffEvent
ScreenSaver	REG_SZ	WinlogonScreenSaverEvent
Startup	REG_SZ	WinlogonStartupEvent
Shutdown	REG_SZ	WinlogonShutdownEvent
StartShell	REG_SZ	WinlogonStartShellEvent
Impersonate	REG_DWORD	0x0
Asynchronous	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
DLLName	REG_SZ	wlnotify.dll
Logon	REG_SZ	SCardStartCertProp
Logoff	REG_SZ	SCardStopCertProp
Lock	REG_SZ	SCardSuspendCertProp
Unlock	REG_SZ	SCardResumeCertProp
Enabled	REG_DWORD	0x1
Impersonate	REG_DWORD	0x1
Asynchronous	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
Asynchronous	REG_DWORD	0x0
DllName	REG_EXPAND_SZ	wlnotify.dll
Impersonate	REG_DWORD	0x0
StartShell	REG_SZ	SchedStartShell
Logoff	REG_SZ	SchedEventLogOff

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
Logoff	REG_SZ	WLEventLogoff
Impersonate	REG_DWORD	0x0
Asynchronous	REG_DWORD	0x1
DllName	REG_EXPAND_SZ	sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
DLLName	REG_SZ	WlNotify.dll
Lock	REG_SZ	SensLockEvent
Logon	REG_SZ	SensLogonEvent
Logoff	REG_SZ	SensLogoffEvent
Safe	REG_DWORD	0x1
MaxWait	REG_DWORD	0x258
StartScreenSaver	REG_SZ	SensStartScreenSaverEvent
StopScreenSaver	REG_SZ	SensStopScreenSaverEvent
Startup	REG_SZ	SensStartupEvent
Shutdown	REG_SZ	SensShutdownEvent
StartShell	REG_SZ	SensStartShellEvent
PostShell	REG_SZ	SensPostShellEvent
Disconnect	REG_SZ	SensDisconnectEvent
Reconnect	REG_SZ	SensReconnectEvent
Unlock	REG_SZ	SensUnlockEvent
Impersonate	REG_DWORD	0x1
Asynchronous	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
Asynchronous	REG_DWORD	0x0
DllName	REG_EXPAND_SZ	wlnotify.dll
Impersonate	REG_DWORD	0x0
Logoff	REG_SZ	TSEventLogoff
Logon	REG_SZ	TSEventLogon
PostShell	REG_SZ	TSEventPostShell
Shutdown	REG_SZ	TSEventShutdown
StartShell	REG_SZ	TSEventStartShell
Startup	REG_SZ	TSEventStartup
MaxWait	REG_DWORD	0x258
Reconnect	REG_SZ	TSEventReconnect
Disconnect	REG_SZ	TSEventDisconnect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
EulaAccepted	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
DLLName	REG_SZ	wlnotify.dll
Logon	REG_SZ	RegisterTicketExpiredNotificationEvent
Logoff	REG_SZ	UnregisterTicketExpiredNotificationEvent
Impersonate	REG_DWORD	0x1
Asynchronous	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SCLogon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
HelpAssistant	REG_DWORD	0x0
TsInternetUser	REG_DWORD	0x0
SQLAgentCmdExec	REG_DWORD	0x0
NetShowServices	REG_DWORD	0x0
IWAM_	REG_DWORD	0x10000
IUSR_	REG_DWORD	0x10000
VUSR_	REG_DWORD	0x10000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials


----------



## tommy72ca (Sep 6, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 5:32:08 PM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://udn.com/NEWS/main.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gozobil.lx.ro
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BFB5CA51-1D7A-4FEC-904A-2AAA21DC6EA4} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: (no name) - {E271F4E9-D46E-4C7A-8608-AFDD4A87E582} - (no file)
O2 - BHO: (no name) - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176522973505
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\system32\textwareilluminatorbaseProtocol.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


----------



## JSntgRvr (Jul 1, 2003)

Lets query the registry once again.

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, double click on the batch file and post the resulting report.


----------



## tommy72ca (Sep 6, 2007)

Thank you for the prompt response.
Here's the requested log.


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer
Description	REG_SZ	Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.
Type	REG_DWORD	0x20
Start	REG_DWORD	0x3
ErrorControl	REG_DWORD	0x1
ImagePath	REG_EXPAND_SZ	C:\WINDOWS\system32\msiexec.exe /V
DisplayName	REG_SZ	Windows Installer
DependOnService	REG_MULTI_SZ	RpcSs\0\0
DependOnGroup	REG_MULTI_SZ	\0
ObjectName	REG_SZ	LocalSystem

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Enum


----------



## JSntgRvr (Jul 1, 2003)

Hi, *tommy72ca* 

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. *

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BFB5CA51-1D7A-4FEC-904A-2AAA21DC6EA4} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: (no name) - {E271F4E9-D46E-4C7A-8608-AFDD4A87E582} - (no file)
O2 - BHO: (no name) - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.

Combofix is giving me a snapshot of files that have recently been modified. This time is pertaining to Windows Installer:

Current files:
*----a-w 2,890,240 2005-05-04 21:45:32 C:\WINDOWS\system32\msi.dll*
-c--a-w 2,890,240 2005-05-04 21:45:32 C:\WINDOWS\system32\dllcache\msi.dll
-c--a-w 78,848 2005-05-04 21:45:36 C:\WINDOWS\system32\dllcache\msiexec.exe
-c--a-w 271,360 2005-05-04 21:45:36 C:\WINDOWS\system32\dllcache\msihnd.dll
Previous fle:
*
----a-w 2,854,400 2007-04-18 16:12:23 C:\WINDOWS\system32\msi.dll*

As you can see there is a difference in size. Search for MSI.dll. There is a copy in the C:\Windows\System32 folder. Once this one is found, right click on it and select Properties. Which version is indicated therein?

Try the following:

Start->Run, type (Copy and Paste from here) *msiexec /regserver* and click OK.

Restart the computer and attempt to install SuperAntispyware.

Keep me posted.


----------



## tommy72ca (Sep 6, 2007)

Hi JSntgRvr,

The one in C:\WINDOWS\system32\msi.dll version is 3.1.4000.2435

There were also a Msi.dll located in C:\WINDOWS\system32\dllcache\msi.dll
They both have the same version number. However, the one located in C:\WINDOWS\system32\dllcache\msi.dll has an odd file size, it stated 2.75 MB (2,890,240 bytes) under Size, and 1.64 MB (1,724,416 bytes) under Size on disk. Not sure if that indicates anything.

I will proceed on the instruction you gave me and keep posting.
Thank you


----------



## JSntgRvr (Jul 1, 2003)

Here is another file I need you to run. Post the resulting report.


----------



## tommy72ca (Sep 6, 2007)

I am still unable to install SuperAntispyware after reboot.
Below is the new log. 

There's a file being called by Service Registry founded by Trojan Remover.

C:\DOCUME~1\Thomas\LOCALS~1\Temp\catchme.sys 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\"ImagePath"

I click and selected delete this file from registry everytime, but it doesn't seem to go away.
I will try reboot and post progress.

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Authentication Packages	REG_MULTI_SZ	msv1_0\0C:\\WINDOWS\\system32\\sstqr\0\0
Bounds	REG_BINARY	0030000000200000
Security Packages	REG_MULTI_SZ	kerberos\0msv1_0\0schannel\0wdigest\0\0
LsaPid	REG_DWORD	0x300
SecureBoot	REG_DWORD	0x1
auditbaseobjects	REG_DWORD	0x0
crashonauditfail	REG_DWORD	0x0
disabledomaincreds	REG_DWORD	0x0
everyoneincludesanonymous	REG_DWORD	0x0
fipsalgorithmpolicy	REG_DWORD	0x0
forceguest	REG_DWORD	0x1
fullprivilegeauditing	REG_BINARY	00
limitblankpassworduse	REG_DWORD	0x1
lmcompatibilitylevel	REG_DWORD	0x0
nodefaultadminowner	REG_DWORD	0x1
nolmhash	REG_DWORD	0x0
restrictanonymous	REG_DWORD	0x0
restrictanonymoussam	REG_DWORD	0x1
Notification Packages	REG_MULTI_SZ	scecli\0\0
ImpersonatePrivilegeUpgradeToolHasRun	REG_DWORD	0x1
enabledcom	REG_SZ	y

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache


----------



## JSntgRvr (Jul 1, 2003)

This is a long shot. My version of Windows Installer is 3.1.4000.4039 as it was modified by Windows Update KB927891 earlier this year. Attempt to download this update here:

https://www.microsoft.com/downloads...CD-A0B9-497E-8A89-404327772E5A&displaylang=en

There is a corrupted value in the LSA key. First backup your registry:


Go to *Start*->*Run*, Type *Regedit.exe * and click Ok.
The Registry Editor will be displayed.
Click on *My Computer * in the Editor to highlight it.
Select *File* from the *Menu*, then *Export*
Name the export *Backup*
Save it on C:\
You now have a backup of your registry on C:\ (*C:\Backup.reg*).

Download the enclosed folder. It contains a registry entries file. Once extracted, double click on the registry entries file and select *Yes* when prompted to merge it into your registry

Restart the computer and test if you can download and install SuperAntispyware.

If unsuccessful, lets run another scanner:

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.

 Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

I'll be checking on you in the AM.


----------



## JSntgRvr (Jul 1, 2003)

> C:\DOCUME~1\Thomas\LOCALS~1\Temp\catchme.sys
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\"ImagePath"


That is part of Combofix, when catchme is ran

Go to *Start*->*Run*, type *CMD *and click *Ok*. The *MSDOS* window will be displayed. At the prompt type the following and press Enter after each line:

*SC Stop catchme
SC Delete catchme
Exit*








Please download *ATF Cleaner* by Atribune.
*This program is for XP and Windows 2000 only*

Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
If you use Firefox browser
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
If you use Opera browser
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
Click *Exit* on the Main menu to close the program.
For *Technical Support*, double-click the e-mail address located at the bottom of each menu.

That should remove it.


----------



## tommy72ca (Sep 6, 2007)

SDFix: Version 1.102

Run by Administrator on Thu 09/06/2007 at 10:54 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Files with Hidden Attributes:

C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Smart Projects\IsoBuster\Help\AHlp.exe
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\WINDOWS\S8E76DAF4.tmp
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG

Finished


----------



## tommy72ca (Sep 6, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 11:06:46 PM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://udn.com/NEWS/main.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gozobil.lx.ro
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176522973505
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\system32\textwareilluminatorbaseProtocol.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


----------



## tommy72ca (Sep 6, 2007)

Still unable to install SuperAntispyware. Nor uninstall JavaRuntime.

Also in the HijackThis log,
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gozobil.lx.ro <== this link is invalid, should I remove it?


----------



## JSntgRvr (Jul 1, 2003)

Hi, *tommy72ca * 

Run Query_2.bat and post its report.

Please take a screenshot of that window you receive when attempting to install SuperAntispyware:

You can do this by pressing the *PrintScreen* key.
Then go to Start > All Programs > Accessories > Paint
In Paint, go up to *Edit > Paste*
Then Go up to *File > Save As*. Click the drop-down box to change the *"Save As Type"* to *"JPEG"*, name it what you want, and save it where you want.
Then click *Add Reply* in this topic.
Scroll down to *Manage Attachments*.
Click the *Browse* button. 
Locate the file you just saved, click on it, then click *Open*. 
Click on *Upload*.
Close the *Attachments* window
Click *Submit Reply*.
Let me also take a deeper look:

Download *WinPFind3U.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *WinPFind3u* on your desktop.

Open the *WinPFind3u* folder and double-click on WinPFind3U.exe to start the program.
In the *Processes* group click *All*
In the *Win32 Services * group click *ALL*
In the *Driver Services * group click *All*
In the *Registry* group click *All*
In the *Files Created Within *group click *60 days *Make sure *Non-Microsoft only is UNCHECKED*
In the Files *Modified Within *group select *30 days *Make sure *Non-Microsoft only is UNCHECKED*
In the *File String Search *group select *Non Microsoft *
In the *Additional scans* sections please press select *All* and *uncheck* non-microsoft only

Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*


----------



## tommy72ca (Sep 6, 2007)

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Authentication Packages	REG_MULTI_SZ	msv1_0\0\0
Bounds	REG_BINARY	0030000000200000
Security Packages	REG_MULTI_SZ	kerberos\0msv1_0\0schannel\0wdigest\0\0
LsaPid	REG_DWORD	0x308
SecureBoot	REG_DWORD	0x1
auditbaseobjects	REG_DWORD	0x0
crashonauditfail	REG_DWORD	0x0
disabledomaincreds	REG_DWORD	0x0
everyoneincludesanonymous	REG_DWORD	0x0
fipsalgorithmpolicy	REG_DWORD	0x0
forceguest	REG_DWORD	0x1
fullprivilegeauditing	REG_BINARY	00
limitblankpassworduse	REG_DWORD	0x1
lmcompatibilitylevel	REG_DWORD	0x0
nodefaultadminowner	REG_DWORD	0x1
nolmhash	REG_DWORD	0x0
restrictanonymous	REG_DWORD	0x0
restrictanonymoussam	REG_DWORD	0x1
Notification Packages	REG_MULTI_SZ	scecli\0\0
ImpersonatePrivilegeUpgradeToolHasRun	REG_DWORD	0x1
enabledcom	REG_SZ	y

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache


----------



## tommy72ca (Sep 6, 2007)

Attached ScreenShot of WindowsInstaller Issue


----------



## tommy72ca (Sep 6, 2007)

WinPFind3U Log file


----------



## tommy72ca (Sep 6, 2007)

The log file exceeds the *.txt file size limit of 500kb
Waiting for further instructions


----------



## JSntgRvr (Jul 1, 2003)

tommy72ca said:


> The log file exceeds the *.txt file size limit of 500kb
> Waiting for further instructions


Divide the log in two files and upload both.


----------



## tommy72ca (Sep 6, 2007)

Here we go


----------



## JSntgRvr (Jul 1, 2003)

Hi, *tommy72ca* 

Start *WinPFind3U*. Copy/Paste the information in the Quotebox below into the pane where it says *"Paste fix here"* and then click the Run Fix button.


```
[Kill Explorer]
[Unregister Dlls]
[Registry - All]
< Internet Explorer Settings > -> 
YN -> HKLM: Search Bar -> http://www.gozobil.lx.ro
[Files/Folders - Created Within 60 days]
NY -> check_LSA7.txt -> %SystemDrive%\check_LSA7.txt
NY -> S8E76DAF4.tmp -> %SystemRoot%\S8E76DAF4.tmp
NY -> rqtss.ini -> %System32%\rqtss.ini
NY -> rsxmivas.ini -> %System32%\rsxmivas.ini
NY -> sqisfcym.ini -> %System32%\sqisfcym.ini
NY -> tvvxyfvt.ini -> %System32%\tvvxyfvt.ini
[Files/Folders - Modified Within 30 days]
NY -> check_LSA7.txt -> %SystemDrive%\check_LSA7.txt
NY -> rqtss.ini -> %System32%\rqtss.ini
NY -> rsxmivas.ini -> %System32%\rsxmivas.ini
NY -> sqisfcym.ini -> %System32%\sqisfcym.ini
NY -> tvvxyfvt.ini -> %System32%\tvvxyfvt.ini
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here on your next reply.*

Download the enclosed folder. Save and extract its contents to the desktop. It is another query to the registry and system directory concerning Windows Installer. *Please also post the resulting report.*


----------



## tommy72ca (Sep 6, 2007)

Explorer killed successfully
[Registry - All]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Bar deleted successfully.
[Files/Folders - Created Within 60 days]
C:\check_LSA7.txt moved successfully.
C:\WINDOWS\S8E76DAF4.tmp moved successfully.
C:\WINDOWS\SYSTEM32\rqtss.ini moved successfully.
C:\WINDOWS\SYSTEM32\rsxmivas.ini moved successfully.
C:\WINDOWS\SYSTEM32\sqisfcym.ini moved successfully.
C:\WINDOWS\SYSTEM32\tvvxyfvt.ini moved successfully.
[Files/Folders - Modified Within 30 days]
File C:\check_LSA7.txt not found!
File C:\WINDOWS\SYSTEM32\rqtss.ini not found!
File C:\WINDOWS\SYSTEM32\rsxmivas.ini not found!
File C:\WINDOWS\SYSTEM32\sqisfcym.ini not found!
File C:\WINDOWS\SYSTEM32\tvvxyfvt.ini not found!
[Empty Temp Folders]
C:\DOCUME~1\Thomas\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
Explorer started successfully
< End of log >
Created on 09/07/2007 15:20:42

==========================================================

Volume in drive C has no label.
Volume Serial Number is 0487-8132

Directory of C:\WINDOWS\system32

04/18/2007 09:12 AM 2,854,400 msi.dll
04/18/2007 09:12 AM 2,854,400 msi.old
08/04/2004 12:56 AM 51,712 msident.dll
08/04/2004 12:56 AM 6,656 msidle.dll
08/18/2001 05:00 AM 14,848 msidntld.dll
08/04/2004 12:56 AM 248,832 msieftp.dll
05/04/2005 02:45 PM 78,848 msiexec.exe
05/04/2005 02:45 PM 78,848 msiexec.old
05/04/2005 02:45 PM 271,360 msihnd.dll
05/04/2005 02:45 PM 271,360 msihnd.old
08/04/2004 12:56 AM 4,608 msimg32.dll
05/04/2005 02:45 PM 884,736 msimsg.dll
08/04/2004 12:56 AM 159,232 msimtf.dll
08/18/2001 05:00 AM 98,304 msir3jp.dll
08/18/2001 05:00 AM 1,875,968 msir3jp.lex
08/18/2001 05:00 AM 368,710 msisam11.dll
05/04/2005 02:45 PM 15,360 msisip.dll
17 File(s) 10,138,182 bytes

Directory of C:\WINDOWS\system32\dllcache

04/18/2007 09:12 AM 2,854,400 msi.dll
08/18/2001 05:00 AM 14,848 msidntld.dll
05/04/2005 02:45 PM 78,848 msiexec.exe
05/04/2005 02:45 PM 271,360 msihnd.dll
08/18/2001 05:00 AM 39,936 msinfo32.exe
08/18/2001 05:00 AM 273,920 msiprov.dll
08/18/2001 05:00 AM 98,304 msir3jp.dll
08/18/2001 05:00 AM 1,875,968 msir3jp.lex
08/18/2001 05:00 AM 368,710 msisam11.dll
9 File(s) 5,876,294 bytes

Directory of C:\WINDOWS\system32\wbem

08/18/2001 05:00 AM 108,452 msi.mfl
08/18/2001 05:00 AM 165,430 msi.mof
08/18/2001 05:00 AM 273,920 msiprov.dll
3 File(s) 547,802 bytes

Total Files Listed:
29 File(s) 16,562,278 bytes
0 Dir(s) 101,302,378,496 bytes free

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\.msi
<NO NAME>	REG_SZ	Msi.Package

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\Msi.Package
EditFlags	REG_BINARY	00001000
FriendlyTypeName	REG_EXPAND_SZ	@%SystemRoot%\System32\msi.dll,-34
<NO NAME>	REG_SZ	Windows Installer Package

HKEY_CLASSES_ROOT\Msi.Package\DefaultIcon
<NO NAME>	REG_SZ	C:\WINDOWS\system32\msiexec.exe,0

HKEY_CLASSES_ROOT\Msi.Package\shell
<NO NAME>	REG_SZ	Open,Repair,Uninstall

HKEY_CLASSES_ROOT\Msi.Package\shell\Open
<NO NAME>	REG_SZ	&Install
MUIVerb	REG_EXPAND_SZ	@%SystemRoot%\System32\msi.dll,-36

HKEY_CLASSES_ROOT\Msi.Package\shell\Open\command
<NO NAME>	REG_EXPAND_SZ	"%SystemRoot%\System32\msiexec.exe" /i "%1" %*

HKEY_CLASSES_ROOT\Msi.Package\shell\Repair
<NO NAME>	REG_SZ	Re&pair
MUIVerb	REG_EXPAND_SZ	@%SystemRoot%\System32\msi.dll,-37

HKEY_CLASSES_ROOT\Msi.Package\shell\Repair\command
<NO NAME>	REG_EXPAND_SZ	"%SystemRoot%\System32\msiexec.exe" /f "%1" %*

HKEY_CLASSES_ROOT\Msi.Package\shell\Uninstall
<NO NAME>	REG_SZ	&Uninstall
MUIVerb	REG_EXPAND_SZ	@%SystemRoot%\System32\msi.dll,-38

HKEY_CLASSES_ROOT\Msi.Package\shell\Uninstall\command
<NO NAME>	REG_EXPAND_SZ	"%SystemRoot%\System32\msiexec.exe" /x "%1" %*

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\Msi.Patch
<NO NAME>	REG_SZ	Windows Installer Patch
EditFlags	REG_BINARY	00001000
FriendlyTypeName	REG_EXPAND_SZ	@%SystemRoot%\System32\msi.dll,-35

HKEY_CLASSES_ROOT\Msi.Patch\DefaultIcon
<NO NAME>	REG_SZ	C:\WINDOWS\system32\msiexec.exe,0

HKEY_CLASSES_ROOT\Msi.Patch\shell
<NO NAME>	REG_SZ	Open

HKEY_CLASSES_ROOT\Msi.Patch\shell\Open
<NO NAME>	REG_SZ	&Apply Patch
MUIVerb	REG_EXPAND_SZ	@%SystemRoot%\System32\msi.dll,-39

HKEY_CLASSES_ROOT\Msi.Patch\shell\Open\command
<NO NAME>	REG_EXPAND_SZ	"%SystemRoot%\System32\msiexec.exe" /p "%1" %*


----------



## JSntgRvr (Jul 1, 2003)

I find absolutely nothing wrong with *Windows Installer*

Run the following commands one a a time and retry after a restart:

*C:\Windows\System32\msiexec.exe /unregister
C:\Windows\System32\msiexec.exe /regserver
regsvr32 /s C:\Windows\System32\msi.dll
regsvr32 /s C:\Windows\System32\msihnd.dll
*

Did you ever had a problem installing or removing a program that never finished?

*How is the computer doing?*


----------



## tommy72ca (Sep 6, 2007)

Hi JSntgRvr,

The computer seems to run fine now, no signs of virus or malware.
Only thing left is just being unable to uninstall certain programs. I will try the commands you listed. So I would run them in cmd and reboot after each line?

Although I can't express my appreciation through simple words, I will make a donation to the TSG forums for the great help and assistance you have provided me.

Thomas


----------



## tommy72ca (Sep 6, 2007)

I just remembered using msconfig to set the computer to boot into safe mode.
All I did was check the box under BOOT.INI /SAFEBOOT and unchecked it after needing safe boot.
Could that cause some problems?


----------



## JSntgRvr (Jul 1, 2003)

tommy72ca said:


> I just remembered using msconfig to set the computer to boot into safe mode.
> All I did was check the box under BOOT.INI /SAFEBOOT and unchecked it after needing safe boot.
> Could that cause some problems?


It shouldn't. Run Msconfig. Check the Boot.ini tab. Are there any checkmarks under the options? Is the computer in Normal or Selective Startup?


----------



## tommy72ca (Sep 6, 2007)

There isnt' any check marks under BOOT.INI and it's in normal boot up.
As far as I know, this isn't a virus related problem, but I didn't have any issue related to this prior to the infection. Where should I look for informations related to this issue?
I've tried microsoft tech support board, if this problem can not be resolved then I will still have to reformat and start fresh.


----------



## JSntgRvr (Jul 1, 2003)

Google:

*The Windows Installer Service could not be accessed*

I am browsing to see if we haven't missed anything.

Create a Startup List

Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
*Check off the 2 boxes next to the Box that says "Generate StartupList log"*
List also minor sections (full)
List empty sections (complete)​
Click on the button "Generate StartupList log"
Save the log will you will remember
Copy and past the StartupList from the notepad into your next post
Navigate to C:\Windows. Locate the *WindowsUpdates.log* file. Open the file in notepad and post the last 30 lines of this report.


----------



## JSntgRvr (Jul 1, 2003)

Go to *Start*->*Run*, type *CMD *and click *Ok*. The *MSDOS* window will be displayed. At the prompt type the following and press Enter after each line:

*NET START MSISERVER
NET STOP MSISERVER
EXIT*

Any error messages after running these commands:

*Verify the registry permissions*

Click Start, click Run, then type Regedt32.
For each of the registry hives, follow these steps:
Select the hive, such as *HKEY_CLASSES_ROOT*.
For Windows XP, on the Edit menu, click Permissions.

Verify that the *SYSTEM* account has been added and that it has Full control. If it does not, add the SYSTEM account with Full control.
Keep me posted.


----------



## tommy72ca (Sep 6, 2007)

StartupList report, 9/7/2007, 6:18:48 PM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Thomas\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Bluetooth.lnk = ?
Logitech SetPoint.lnk = ?

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
Logitech Utility = Logi_MwX.Exe
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
LogitechCommunicationsManager = "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
LogitechQuickCamRibbon = "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
Kernel and Hardware Abstraction Layer = KHALMNPR.EXE
NeroFilterCheck = C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
TrojanScanner = C:\Program Files\Trojan Remover\Trjscan.exe
avgnt = "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

StartCCC = C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
DAEMON Tools = "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden


----------



## tommy72ca (Sep 6, 2007)

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton Security Scan.job

--------------------------------------------------

Enumerating Download Program Files:

[{20C2C286-BDE8-441B-B73D-AFA22D914DA5}]
CODEBASE = http://download.ppstream.com/bin/powerplayer.cab

[{231B1C6E-F934-42A2-92B6-C2FEFEC24276}]
CODEBASE = C:\Program Files\Yahoo!\common\yucconfig.dll

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176522973505

[GameLauncher Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\GAMELA~1.OCX
CODEBASE = http://www.acclaim.com/cabs/acclaim_v4.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[HGPlugin9USA Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HGPlugin9USA.dll
CODEBASE = http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
AntiVir PersonalEdition Classic Scheduler: "C:\Program Files\AntiVir PersonalEdition Classic\sched.exe" (autostart)
AntiVir PersonalEdition Classic Guard: "C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe" (autostart)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
ati2mtag: system32\DRIVERS\ati2mtag.sys (manual start)
ATITool Overclocking Utility: system32\DRIVERS\ATITool.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
avgio: \??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys (system)
avgntflt: \??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys (manual start)
avipbb: system32\DRIVERS\avipbb.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Bluetooth Audio Device: system32\drivers\btaudio.sys (manual start)
Bluetooth Virtual Communications Driver: system32\DRIVERS\btport.sys (manual start)
Bluetooth Bus Enumerator: system32\DRIVERS\btkrnl.sys (manual start)
Bluetooth Service: C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe (autostart)
Bluetooth LAN Access Server: system32\DRIVERS\btwdndis.sys (manual start)
WIDCOMM USB Bluetooth Driver: System32\Drivers\btwusb.sys (manual start)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
ENTECH: \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
VIA Rhine-Family Fast Ethernet Adapter Driver Service: System32\DRIVERS\fetnd5bv.sys (manual start)
VIA Rhine Family Fast Ethernet Adapter Driver: system32\DRIVERS\fetnd5b.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
FsVga: system32\DRIVERS\fsvga.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Logitech PS/2 Mouse Filter Driver: System32\Drivers\l8042pr2.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logitech SetPoint KMDF HID Filter Driver: system32\DRIVERS\LHidFilt.Sys (manual start)
Logitech HID/USB Mouse Filter Driver: system32\DRIVERS\LHidFlt2.Sys (manual start)
Logitech USB Receiver device driver: System32\Drivers\LHidUsb.Sys (manual start)
LightScribeService Direct Disc Labeling Service: "C:\Program Files\Common Files\LightScribe\LSSrvc.exe" (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Logitech SetPoint KMDF Mouse Filter Driver: system32\DRIVERS\LMouFilt.Sys (manual start)
Logitech Mouse Class Filter Driver: System32\Drivers\LMouFlt2.sys (manual start)
Logitech AEC Driver: system32\DRIVERS\LVcKap.sys (manual start)
LVCOMSer: "C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe" (autostart)
Logitech Machine Vision Engine Loader: system32\DRIVERS\LVMVDrv.sys (manual start)
Logitech LVPr2Mon Driver: system32\DRIVERS\LVPr2Mon.sys (manual start)
Process Monitor: "C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe" (autostart)
LVSrvLauncher: C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe (autostart)
Logitech USB Monitor Filter: system32\drivers\LVUSBSta.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: c:\windows\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NMIndexingService: "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NTSIM: \??\C:\WINDOWS\system32\ntsim.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
VIA OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Logitech QuickCam IM(PID_PEPI): system32\DRIVERS\LV302V32.SYS (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SBP-2 Transport/Protocol Bus Driver: system32\DRIVERS\sbp2port.sys (system)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
StarForce Protection Environment Driver (version 1.x): System32\drivers\sfdrv01.sys (system)
StarForce Protection Helper Driver (version 2.x): System32\drivers\sfhlp02.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
sptd: System32\Drivers\sptd.sys (system)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
ssmdrv: system32\DRIVERS\ssmdrv.sys (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{6A828310-F6CF-45CA-B2DB-30A8F12714F3} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
tmcomm: \??\C:\WINDOWS\system32\drivers\tmcomm.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TVICHW32: \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB Root Hub (usbport): System32\DRIVERS\usbhub.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
Messenger Sharing Folders USN Journal Reader service: "C:\Program Files\MSN Messenger\usnsvc.exe" (manual start)
User Privilege Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: system32\DRIVERS\viaagp1.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
videX32: system32\DRIVERS\videX32.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Wdf01000: system32\DRIVERS\Wdf01000.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_46e1ef43\UPDENGVDFTEST|||

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: %system%\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 37,711 bytes
Report generated in 0.100 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## JSntgRvr (Jul 1, 2003)

That log is clear. Were you able to check the WindowsUpdates.log file and permissions in the registry?


----------



## tommy72ca (Sep 6, 2007)

How do I check?


----------



## JSntgRvr (Jul 1, 2003)

See posts # 42 and # 43.


----------



## JSntgRvr (Jul 1, 2003)

Download the enclosed folder. Extract its contents to the desktop. Once extracted, open the *Perms* folder and doubleclick on the *Run Me.bat* file. Post the report it will produce.


----------



## tommy72ca (Sep 6, 2007)

2007-09-07	23:14:28:439	1140 f8	Agent * Target group: (Unassigned Computers)
2007-09-07	23:14:28:439	1140 f8	Agent * Windows Update access disabled: No
2007-09-07	23:14:34:628	1140 f8	DnldMgr	Download manager restoring 0 downloads
2007-09-07	23:14:34:758	1140 f8	AU	########### AU: Initializing Automatic Updates ###########
2007-09-07	23:14:34:758	1140 f8	AU # Approval type: Pre-download notify (User preference)
2007-09-07	23:14:37:542	1140 f8	AU	AU setting pending client directive to 'Download Approval'
2007-09-07	23:14:37:552	1140 f8	AU	AU finished delayed initialization
2007-09-07	23:14:42:930	1140 f8	Report	*********** Report: Initializing static reporting data ***********
2007-09-07	23:14:42:930	1140 f8	Report * OS Version = 5.1.2600.2.0.66304
2007-09-07	23:14:43:140	1140 f8	Report * Computer Brand = VIA Technologies, Inc.
2007-09-07	23:14:43:140	1140 f8	Report * Computer Model = KT400-8235
2007-09-07	23:14:43:150	1140 f8	Report * Bios Revision = 6.00 PG
2007-09-07	23:14:43:150	1140 f8	Report * Bios Name = Phoenix - AwardBIOS v6.00PG
2007-09-07	23:14:43:150	1140 f8	Report * Bios Release Date = 2003-02-13T00:00:00
2007-09-07	23:14:43:150	1140 f8	Report * Locale ID = 1033
2007-09-07	23:14:52:564	1140 f8	AU	Launched new AU client for directive 'Download Approval', session id = 0x0
2007-09-07	23:14:52:724	3892	f38	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-07	23:14:52:724	3892	f38	Misc = Process: C:\WINDOWS\system32\wuauclt.exe
2007-09-07	23:14:52:724	3892	f38	AUClnt	Launched Client UI process
2007-09-07	23:14:52:974	3892	f38	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-07	23:14:52:984	3892	f38	Misc = Process: C:\WINDOWS\system32\wuauclt.exe
2007-09-07	23:14:52:984	3892	f38	Misc = Module: C:\WINDOWS\system32\wucltui.dll
2007-09-07	23:14:52:974	3892	f38	CltUI	AU client got new directive = 'Download Approval', serviceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, return = 0x00000000
2007-09-07	23:14:52:984	3892	f38	CltUI	AU client creating default WU/WSUS UI plugin
2007-09-07	23:35:18:386 836	8b8	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-07	23:35:18:386 836	8b8	Misc = Process: C:\WINDOWS\system32\rundll32.exe
2007-09-07	23:35:18:386 836	8b8	Misc = Module: C:\WINDOWS\system32\wuapi.dll
2007-09-07	23:35:18:386 836	8b8	ARP	Connected to update session.
2007-09-07	23:35:18:386 836	8b8	ARP	User is allowed to install published content.
2007-09-07	23:35:18:937 836	8b8	ARP	Managed service NOT found.

=========END==========

The SYSTEM does have full control permission in regedt32


----------



## tommy72ca (Sep 6, 2007)

These Windows services are started:

AntiVir PersonalEdition Classic Guard
AntiVir PersonalEdition Classic Scheduler
Application Layer Gateway Service
Ati HotKey Poller
Automatic Updates
AVG Anti-Spyware Guard
Background Intelligent Transfer Service
Bluetooth Service
COM+ Event System
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
Error Reporting Service
Event Log
Fast User Switching Compatibility
Help and Support
HID Input Service
Internet Connection Sharing
IPSEC Services
IPv6 Helper Service
LightScribeService Direct Disc Labeling Service
LVCOMSer
Network Connections
Network Location Awareness (NLA)
NMIndexingService
Plug and Play
Print Spooler
Process Monitor
Protected Storage
Remote Procedure Call (RPC)
Secondary Logon
Security Accounts Manager
Security Center
Server
Shell Hardware Detection
SSDP Discovery Service
System Event Notification
System Restore Service
Task Scheduler
TCP/IP NetBIOS Helper
Terminal Services
Themes
WebClient
Windows Audio
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Time
Wireless Zero Configuration
Workstation

The command completed successfully.

RegDACL 6.2 - Permissions Manager for Registry keys for Windows
Copyright (c) 1999-2007 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Effective permissions for Registry key HKCR:
Full access HOMEUSA-THOMAS\Thomas
Full access NT AUTHORITY\SYSTEM
Full access BUILTIN\Administrators
Read NT AUTHORITY\RESTRICTED

RegDACL 6.2 - Permissions Manager for Registry keys for Windows
Copyright (c) 1999-2007 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Effective permissions for Registry key HKCU:
Full access HOMEUSA-THOMAS\Thomas
Full access NT AUTHORITY\SYSTEM
Full access BUILTIN\Administrators
Read NT AUTHORITY\RESTRICTED

RegDACL 6.2 - Permissions Manager for Registry keys for Windows
Copyright (c) 1999-2007 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Effective permissions for Registry key HKLM:
Full access NT AUTHORITY\SYSTEM
Full access BUILTIN\Administrators
Read Everyone
Read NT AUTHORITY\RESTRICTED

RegDACL 6.2 - Permissions Manager for Registry keys for Windows
Copyright (c) 1999-2007 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Effective permissions for Registry key HKLM\SYSTEM\CurrentControlSet\Services\MSIServer:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


----------



## tommy72ca (Sep 6, 2007)

I got an error in SERVICES.MSC trying to start the service, below is the message:

"Could not start the Windows Installer service on Local Computer"
Error 1067: The process terminated unexpectedly


----------



## tommy72ca (Sep 6, 2007)

Hi JSntgRvr
I have somehow made it to work, how I have installed SuperAntiSpyware and successfully uninstalled JAVA.

I appreciate greatly for your time, and expert help.
Thomas


----------



## tommy72ca (Sep 6, 2007)

still unable to install certain programs, (Java Runtime)


----------



## tommy72ca (Sep 6, 2007)

After I tried using microsoft automatic updates, everything seems to be back normal, with JAVE 6u2 installed.
I will report back if more issues arise.

Once again Thank you The Tech Support Guy,
Thomas


----------



## JSntgRvr (Jul 1, 2003)

tommy72ca said:


> After I tried using microsoft automatic updates, everything seems to be back normal, with JAVE 6u2 installed.
> I will report back if more issues arise.
> 
> Once again Thank you The Tech Support Guy,
> Thomas


Seemed that you needed a windows update and one of the Remote Procdure Call services, a dependency of Windows Installer, was not running. Run *SuperAntispyware* and post the resulting log.

Glad to learn there is a light at the end of the tunnel.


----------



## tommy72ca (Sep 6, 2007)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/08/2007 at 00:52 AM

Application Version : 3.9.1008

Core Rules Database Version : 3302
Trace Rules Database Version: 1308

Scan type : Quick Scan
Total Scan Time : 00:13:58

Memory items scanned : 528
Memory threats detected : 0
Registry items scanned : 767
Registry threats detected : 0
File items scanned : 11480
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\Thomas\Cookies\[email protected][2].txt


----------



## tommy72ca (Sep 6, 2007)

Hi JSntgRvr,
I have looked into the services settings and found out that after setting the PRC and Windows Installer both to automatic resolved the issue to install Quicktime.

Hopefully the settings will be stable after few reboot, as there isn't any known problems anymore.

Thank you the Tech Support Guys especially JSntgRvr,
You guys ROCK,
Thomas


----------



## JSntgRvr (Jul 1, 2003)

Hi, *tommy72ca*. 

Congratulations.









*Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.*

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

*Create a Restore point*:

Click *Start*, point to *All Programs*, point to *Accessories*, point to *System Tools*, and then click *System Restore*.
In the System Restore dialog box, click *Create a restore point*, and then click *Next*. 
Type a description for your restore point, such as "After Cleanup", then click *Create*.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

*IE-SpyAd* - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

*CleanUP*! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

Windows Updates - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read *this* article by Tony Klein.

Click *Here* for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "*Solved*".

Best wishes!


----------

