Virus problem

My apologies, yes. Before clicking on the Export button, please do the following:

Click on the + next to Microsoft to expand that key
Click on the + next to Windows to expand that key
Click on the + next to CurrentVersion to expand that key
Click on Uninstall to select that key.

Then proceed with File -> Export as before.
 
software_Unistall File

This should be what you're looking for. (I had to zip it in order to attach it on here, let me know if it doesn't work).
 

Attachments

  • software_Uninstall.zip
    361 bytes · Views: 3
That's it, but unfortunately it just confirms what I suspected. The key was corrupted before we started working on these fixes, which means that the backups that have been made through the repair process are no help. The only other possibility is to recover the missing registry entries from an old System Restore point. Do you remember when the list was last displaying correctly?
 
System Restore Point

Not specifically (I would guess around a month), but I have they System Restore automatically create restore points every week I think, so I can just keep going back until I find one that works. Should I do that?
 
System Restore Point

Ok, so I found a system restore point last week (before I started posting on this site), that I know was a time the Add/Remove Software was working (because I uninstalled a video game that day). So I did a System Restore, and it worked, I can see the entire list of programs (in Add/Remove Software). Since you mentioned that doing a system restore will wipe the stuff we did, I'm going to run ComboFix and HijackThis, and post the logs for you.
 
ComboFix Log

ComboFix 08-02-25.3 - Dylan 2008-02-25 10:21:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.595 [GMT -6:00]
Running from: C:\Documents and Settings\Dylan\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-21 10:51 . 2008-02-21 10:51 <DIR> d-------- C:\Deckard
2008-02-19 10:44 . 2008-02-19 10:45 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-19 10:37 . 2008-02-25 09:22 <DIR> d-------- C:\SDFix
2008-02-19 01:10 . 2008-02-19 01:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-18 22:53 . 2008-02-25 09:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 10:01 . 2008-02-18 02:11 <DIR> d-------- C:\Westwood
2008-02-14 14:44 . 2008-02-21 15:15 10,691 --a------ C:\AirlineHistory.zip
2008-02-13 22:27 . 2008-02-13 22:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-02-13 22:25 . 2008-02-13 22:25 <DIR> d-------- C:\Documents and Settings\Dylan\Application Data\NCH Software
2008-02-13 22:25 . 2008-02-13 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-01-26 18:24 . 2008-01-26 18:24 <DIR> d-------- C:\Program Files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 16:19 --------- d-----w C:\Program Files\Viewpoint
2008-02-25 16:19 --------- d-----w C:\Documents and Settings\Dylan\Application Data\Viewpoint
2008-02-25 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-25 15:21 --------- d-----w C:\Program Files\Outspark
2008-02-22 16:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2008-02-19 05:52 --------- d-----w C:\Program Files\MSN Messenger
2008-02-19 05:40 --------- d-----w C:\Program Files\AIM6
2008-02-19 01:30 --------- d-----w C:\Documents and Settings\Dylan\Application Data\AVG7
2008-02-19 01:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-19 00:58 --------- d-----w C:\Program Files\Maxis
2008-02-17 18:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-16 15:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-15 07:25 --------- d-----w C:\Documents and Settings\Dylan\Application Data\U3
2008-02-15 04:29 --------- d-----w C:\Documents and Settings\Dylan\Application Data\BitTorrent
2008-02-14 04:25 --------- d-----w C:\Program Files\NCH Software
2008-02-12 19:58 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-12 19:00 --------- d-----w C:\Program Files\Diablo II
2008-01-31 05:54 --------- d-----w C:\Documents and Settings\Dylan\Application Data\WeatherBug
2008-01-22 06:03 --------- d-----w C:\Program Files\Hero Editor
2008-01-22 06:02 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-01-22 06:02 249,856 ------w C:\WINDOWS\Setup1.exe
2008-01-19 14:52 --------- d-----w C:\Program Files\EA GAMES
2008-01-19 14:48 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-21 18:53 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2007-12-07 00:44 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2006-11-11 12:16 1,740 ----a-w C:\Documents and Settings\Dylan\HISCORES.DAT
1997-05-13 23:26 3,206,344 ----a-w C:\Documents and Settings\Dylan\HOSPPAT.EXE
1994-06-01 03:00 265,396 ----a-w C:\Documents and Settings\Dylan\DOS4GW.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 10:15 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Freebie Notes"="C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe" [2006-05-23 22:05 982016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 13:51 774233]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-17 21:21 185784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-06-23 21:39 145920]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dylan^Start Menu^Programs^Startup^Qwest QuickNetworking.lnk]
path=C:\Documents and Settings\Dylan\Start Menu\Programs\Startup\Qwest QuickNetworking.lnk
backup=C:\WINDOWS\pss\Qwest QuickNetworking.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-06-28 20:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2007-06-23 21:39 416256 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-11-15 18:14 588080 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CircleVirtualCD]
--a------ 2003-07-14 11:15 61440 C:\Program Files\Circle\VirtualCD\HvcdUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0630 STISvc]
-ra------ 2005-06-05 11:01 36864 C:\WINDOWS\system32\P0630Pin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
C:\WINDOWS\system32\PRISMSVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartUp]
C:\WINDOWS\trayicons.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
C:\Program Files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2006-05-19 13:52 86105 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2006-04-07 14:02 1343488 C:\Program Files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
--a------ 2003-08-01 18:28 474624 C:\Program Files\TightVNC\WinVNC.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

R1 HekkoVirtualCD;Hekko Virtual CD Driver;C:\WINDOWS\system32\Drivers\hvcd.sys [2003-07-14 10:46]
R2 X4HSX32;X4HSX32;C:\Program Files\EXEtender\X4HSX32.Sys [2005-05-31 18:26]
S3 cisaspi0;Cistone ASPI Driver;C:\WINDOWS\system32\Drivers\cisaspi0.sys []
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-05 19:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8da80ab2-afd1-11db-a9b4-000ae4f3f14f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1f21ac5-9354-11da-a8f4-00032532c61c}]
\Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A5CDF7EC-751B-46aa-AD69-4005FE080DE8}]
C:\WINDOWS\system32\sinmax.exe s
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 10:22:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-25 10:23:01
ComboFix-quarantined-files.txt 2008-02-25 16:22:39
ComboFix2.txt 2008-02-25 16:18:17
ComboFix3.txt 2008-02-20 08:15:32
ComboFix4.txt 2008-02-19 07:03:59
.
2008-02-14 21:54:11 --- E O F ---
 
Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 10:24:11 AM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://hcmail1.co.hennepin.mn.us/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181780980500
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
 
OK, I was going to suggest we just get the valid entries from the known good restore point, but this will work as well. A few final malware removal steps then:

Please run Notepad and paste the contents of the codebox into a new file. Please do not include the word Code:
Code: 
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A5CDF7EC-751B-46aa-AD69-4005FE080DE8}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartUp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

Save the file to the desktop as fix.reg and make sure the Save as Type field says All Files. Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entries:
Please close all open windows except for HijackThis and choose Fix checked

Please reboot and post a new HijackThis log.
 
Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 10:17:20 AM, on 2/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://hcmail1.co.hennepin.mn.us/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181780980500
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
 
That log looks clean, are there any remaining problems? There's one last entry that can be removed for cleanup purposes even though it's not malicious:

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entry:
  • O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Please close all open windows except for HijackThis and choose Fix checked
 
Well, looks like the viruses are all gone. Thank you for your help. It is most appreciated. I have a couple of small questions for you. Do you know of a good firewall (freeware) that I can use? I'm a high level user, and I don't want to have a firewall that blocks my own stuff. My other question is: how do you read Hijack This logs? Does it take experience, or just learning what to recognize?
 
You're welcome.

Some good free firewalls are ZoneAlarm, Kerio, or Outpost. When a program attempts to connect to the Internet, you'll be prompted to permit or deny it access, but you can tell it to remember the setting so that you won't be prompted every time your programs try to access the Internet.

With regards to reading HijackThis logs, it takes a lot of experience and proper training to do so well. If you're looking to learn more, there are a number of online training sites that can help. I've listed some of the most popular ones at http://www.computerforum.com/853855-post10.html

Below I have included some ideas on how to prevent future infections.

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's
Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)
 
You must log in or register to reply here.
Back
Top