[colonelsnow]

Hi:

I created new administrator account, ran AVG in safe mode. Same results. Does the registry need to be manually edited?

[Advertisements]

Hello again

The malware scanner is meant to adjust those entries in the registry, but it has failed to do so. My first thought is that a virus may have either corrupted the keys, in which case no amount of registry editing will fix it, or it may just be a permissions problem.

Are you comfortable working within the registry?

In the mean time, let's try an edit and see what occurs. If all fails, then we can use very strong medicine, but I'd rather not.

Please follow these instructions carefully.

First, we need to backup your registry:
Please go to Start > Run
Paste in the following line: regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal. Your mouse pointer may turn to an hour glass for a minute. Please continue when it no longer has the hour glass.

Open Notepad, and copy everything inside the code box below (Starting with REGEDIT4) and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixit.reg on your Desktop. Make sure there is NO blank line above REGEDIT4

REGEDIT4

[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ClientAX.ClientInstaller] 
[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ClientAX.ClientInstaller.1]
[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject.]
[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject.1]
[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\Contact.Contacts]
[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\Contact.Contacts.1] 
[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ClientAX.RequiredComponent] 
[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ClientAX.RequiredComponent.1] 

Locate fixit.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.

After merged successfully prompt reboot and try the scan again.

[Crustyoldbloke]

Hello again

The malware scanner is meant to adjust those entries in the registry, but it has failed to do so. My first thought is that a virus may have either corrupted the keys, in which case no amount of registry editing will fix it, or it may just be a permissions problem.

Are you comfortable working within the registry?

In the mean time, let's try an edit and see what occurs. If all fails, then we can use very strong medicine, but I'd rather not.

Please follow these instructions carefully.

First, we need to backup your registry:
Please go to Start > Run
Paste in the following line: regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal. Your mouse pointer may turn to an hour glass for a minute. Please continue when it no longer has the hour glass.

Open Notepad, and copy everything inside the code box below (Starting with REGEDIT4) and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixit.reg on your Desktop. Make sure there is NO blank line above REGEDIT4

REGEDIT4

[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ClientAX.ClientInstaller] 
[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ClientAX.ClientInstaller.1]
[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject.]
[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject.1]
[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\Contact.Contacts]
[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\Contact.Contacts.1] 
[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ClientAX.RequiredComponent] 
[-HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ClientAX.RequiredComponent.1] 

Locate fixit.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.

After merged successfully prompt reboot and try the scan again.

[colonelsnow]

Hi:

I followed the instructions. Same result.

I am comfortable editing the registry

Edited by colonelsnow, 17 February 2007 - 05:29 PM.

[Crustyoldbloke]

Hello again

Well now I am beginning to suspect corrupted keys; if this doesn't work then we are into realms I'd rather not think about.

Go to START > RUN > type in regedit> hit ENTER

A fresh window will open.

Navigate to all the keys and right click (context menu) and choose PERMISSIONS.

HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ClientAX.ClientInstaller
HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ClientAX.ClientInstaller.1
HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject.
HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject.1
HKEY_LOCAL_MACHINE \SOFTWARE\Classes\Contact.Contacts
HKEY_LOCAL_MACHINE \SOFTWARE\Classes\Contact.Contacts.1
HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ClientAX.RequiredComponent
HKEY_LOCAL_MACHINE \SOFTWARE\Classes\ClientAX.RequiredComponent.1

Please ensure that your account has the correct permissions. If it doesn't, please adjust it.

Any better?

[colonelsnow]

It says I do not have permission. It will not let me change it. However I can do whatever I want with other registry keys.

Edited by colonelsnow, 17 February 2007 - 09:21 PM.

[Crustyoldbloke]

If you do the same but logon as the new account with admin status, what is the result?

[colonelsnow]

Same results

[Crustyoldbloke]

hello again

Please ensure that fixit.reg is still on your desktop.

You will need to place your name as it appears in the file path to your desktop, into the script below, replacing the capital lettered "YOUR NAME"

Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

Copy ALL THE TEXT contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Programs to launch on reboot:
C:\Documents and Settings\YOUR NAME\Desktop\fixit.reg

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger programme by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• Upon reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy & paste the content of c:\avenger.txt into your reply along with a fresh HJT log from normal mode, by using Add Reply

Edited by Crustyoldbloke, 18 February 2007 - 06:33 PM.

[colonelsnow]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rfphdvkw

*******************


Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

Could not open script file! Status: 0xc0000034 Abort!
//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\nndxsxsp

*******************

Script file located at: \??\C:\Program Files\ffywxfai.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Program C:\Documents and Settings\Sean\Desktop\fixit.reg successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 6:46:16 PM, on 2/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Net Nanny\nnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\Program Files\Net Nanny\nntray.exe
C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe
C:\Documents and Settings\Sean\Desktop\Virus Stuff\crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NNTray] C:\Program Files\Net Nanny\nnstart.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech Harmony Remote Software 7.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9602.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.co...LPInstaller.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NNSvc - Looksmart, Ltd. - C:\Program Files\Net Nanny\nnsvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

[Crustyoldbloke]

Hello again Sean

Avenger ran OK even though it found an error. Your HJT log looks OK.

The three possibilities in my mind at present are that you run System File Checker and hope it fixes the services problem, or you swap ID's and hope that fresh ID's will not have the services error, or re download SP2 and hope that it overwrites the error.

How's the PC running now?

[Crustyoldbloke]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.