I Have had problems with my computer since detecting the virus antivirus pro 2010 . I have managed to delete that . I am now having several problems with
1. google redirects to other search engines
2 .Have installed spybot s&d and trying to run it have the error,windows cannot acces the specific device,path,or file. you may not have the appropriate permission to acces the item.
3. Have tried downloading hijackthis which also refuses to run
4. avg 8.5 will not perform a system scan but shows that everything is working. (i have tried uninstalling it and re install with no luck)
5. reg cure and spyware doctor work and scan the system find infections and cure them but they keep re-apearing on the next scan.
I think i have included everything,my operating system is win xp
I hope you can help many thanks Arfon

Hi arfon,

While working with the serv.txt log you uploaded I noticed that it appears some essential service keys are missing from your registry, and I need to verify. Please load MiniXP and Registry Editor PE, no user hive necessary, then copy and paste the contents of the code box below into a command window.



A file named services.hiv should appear on the desktop.
Please upload that file to my submission channel.

hi dave
file has been uploaded
arfon

Received, thanks!

This may take me a while.

I found only a couple of inconsistencies and have fixed them.
Please download this file to the MiniXP desktop.
Start Registry Editor PE, no user hive necessary.
Once loaded, double click the downloaded file on the desktop.
When it closes, exit the registry editor, wait for the All Finished message and restart to see if the machine will boot normally.

Hi Dave
sorry to say but the last updated file was not succesful .one thing i noticed on boot up that i havent seen before, just before the windows xp logo with strobing lights
a mesage in top left corner . INVALID BOOT INI FILE
BOOTING FROM C:\ WINDOWS\
dont know if that has any relevance
Many thanks Arfon

I'd like to make sure the hive was successfully imported. Please load MiniXP and Registry Editor PE, no user hive necessary, then copy and paste the contents of the code box below into a command window.



A file named services2.hiv should appear on the desktop.
Please upload that file to my submission channel.

Next, lets check the boot.ini file. Paste the following into the command window then post the log that opens.

hello dave
i have posted a services2.hiv to your submission channel . i also ran the second boot ini file but the result in metapad came up blank.

The hive appears to have been merged successfully. Please take a look in Local Disk C: using Windows Explorer and tell me what files are there who's name begins with boot (like boot.ini, boot.backup, boot.basevid, etc).

This post has been edited by noahdfear: Nov 20 2009, 02:54 PM

hi there are 2 files
1 boot.backup
2 boot.basevid

Please right click the boot.backup file and Rename to boot.ini

Still working on the next attempt at normal bootup.

Hi arfon,

Just wanted to let you know that I haven't abandoned you. I expect to have a new test ready later today.

Here we go

Boot into MiniXP and download this file to the desktop.

Double click the file to run it.
It will first make backups of several files, and if successful, will pause and instruct you to load Registry Editor PE.
If unsuccessful, it will exit and open a log that needs to be posted here.
It is not necessary to load any user hives.
Once Registry Editor PE is fully loaded and the registry editor opens, minimize it to the taskbar. Do NOT close the editor!
Press any key to allow the tool to continue running (it will ask you again if you're sure).
When complete, a log will open.
Post it's contents here.
Please do not attempt to start the computer normally until I've responded to the log.

Now, so that you know what we're doing;

The tool will configure your system to do a diagnostic startup.
In doing so, it's necessary to re-write the system.ini and win.ini files.
It is also necessary to disable most services and startup items.
The tool does this by creating the necessary registry keys to re-enable them later, and modifying the Start value of the associated registry values for those services.
As mentioned above, backups will first be made of all files and registry hives.

Hi dave
im in the proces of runing the diagnostics file and have a question. it has ended with - 'the operation completed succesfully' Value key exists, overwrite (Y/N) ?
Just checking in case i answer wrongly

Yes, and the same if prompted any more.

Hi Dave
here is my latest log
many thanks. Arfon

---- System.ini ----

;msconfig ; for 16-bit app support
[drivers]
;msconfig wave=mmdrv.dll
;msconfig timer=timer.drv
;msconfig [mci]
;msconfig [driver32]
[386enh]
;msconfig woafont=app850.FON
;msconfig EGA80WOA.FON=EGA80850.FON
;msconfig EGA40WOA.FON=EGA40850.FON
;msconfig CGA80WOA.FON=CGA80850.FON
;msconfig CGA40WOA.FON=CGA40850.FON
[ScreenTime]
;msconfig Password Value=0
[TTFontDimenCacheDBCS]
;msconfig 0 10=6 10
;msconfig 0 11=7 11
;msconfig 0 12=7 12
;msconfig 0 13=8 13
;msconfig 0 14=8 14
;msconfig 0 15=9 15
;msconfig 0 16=10 16
;msconfig 0 18=11 18
;msconfig 0 20=12 20
;msconfig 0 22=13 22

---- Win.ini ----

;msconfig ; for 16-bit app support
;msconfig [fonts]
;msconfig [extensions]
;msconfig [mci extensions]
;msconfig [files]
[Mail]
;msconfig MAPI=1
;msconfig CMC=1
;msconfig CMCDLLNAME=mapi.dll
;msconfig CMCDLLNAME32=mapi32.dll
;msconfig MAPIX=1
;msconfig MAPIXVER=1.0.0.1
;msconfig OLEMessaging=1
[MCI Extensions.BAK]
;msconfig aif=MPEGVideo
;msconfig aifc=MPEGVideo
;msconfig aiff=MPEGVideo
;msconfig asf=MPEGVideo
;msconfig asx=MPEGVideo
;msconfig au=MPEGVideo
;msconfig m1v=MPEGVideo
;msconfig m3u=MPEGVideo
;msconfig mp2=MPEGVideo
;msconfig mp2v=MPEGVideo
;msconfig mp3=MPEGVideo
;msconfig mpa=MPEGVideo
;msconfig mpe=MPEGVideo
;msconfig mpeg=MPEGVideo
;msconfig mpg=MPEGVideo
;msconfig mpv2=MPEGVideo
;msconfig snd=MPEGVideo
;msconfig wax=MPEGVideo
;msconfig wm=MPEGVideo
;msconfig wma=MPEGVideo
;msconfig wmv=MPEGVideo
;msconfig wmx=MPEGVideo
;msconfig wpl=MPEGVideo
;msconfig wvx=MPEGVideo
;msconfig m2v=MPEGVideo
;msconfig mod=MPEGVideo
[IRIS_IPE]
;msconfig menu=1
[drawdib]
;msconfig vga.drv 1024x768x32(BGR 0)=15,23,1,31
[Readiris]
;msconfig Scanner32=Twaino38,23
[annie]
;msconfig FrameRate=333333
;msconfig CaptureFile=C:\Documents and Settings\Arfon Jones\My Documents\carwyn\Photos\fi4
;msconfig VideoDevice2=@device:cm:{860BB310-5D01-11D0-BD3B-00A0C911CE86}\SoC PC-Camer@ (VFW)
;msconfig AudioDevice2=
;msconfig UseFrameRate=1
;msconfig CaptureAudio=0
;msconfig CaptureCC=0
;msconfig WantPreview=1
;msconfig MasterStream=1
;msconfig UseTimeLimit=0
;msconfig TimeLimit=0
[DPE]
;msconfig Toolbar=1
;msconfig SN75=43011702


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini REG_DWORD 0x1
win.ini REG_DWORD 0x1
bootini REG_DWORD 0x0
services REG_DWORD 0x1
startup REG_DWORD 0x1

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\4oD
item REG_SZ 4oD
command REG_SZ "C:\Program Files\Kontiki\KHost.exe" -all
hkey REG_SZ HKLM
key REG_SZ Run

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Photo Downloader
item REG_SZ Adobe Photo Downloader
command REG_SZ "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
hkey REG_SZ HKLM
key REG_SZ Run

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG8_TRAY
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ AVG8_TRAY
hkey REG_SZ HKLM
command REG_SZ c:\progra~1\avg\avg8\avgtray.exe
inimapping REG_SZ 0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CRBroadCasting
item REG_SZ CRBroadCasting
command REG_SZ C:\Program Files\CardReader2.0\CRBroadCasting.exe
hkey REG_SZ HKLM
key REG_SZ Run

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gutemokazi
item REG_SZ gutemokazi
command REG_SZ Rundll32.exe "C:\WINDOWS\system32\werukuwe.dll",s
hkey REG_SZ HKLM
key REG_SZ Run

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Component Manager
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ hpcmpmgr
hkey REG_SZ HKLM
command REG_SZ "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping REG_SZ 0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ HPWuSchd2
hkey REG_SZ HKLM
command REG_SZ "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
inimapping REG_SZ 0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPDJ Taskbar Utility
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ hpztsb10
hkey REG_SZ HKLM
command REG_SZ C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
inimapping REG_SZ 0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IntelliPoint
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ ipoint
hkey REG_SZ HKLM
command REG_SZ "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
inimapping REG_SZ 0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ISTray
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ ISTray
hkey REG_SZ HKLM
command REG_SZ "c:\program files\spyware doctor\pctsTray.exe"
inimapping REG_SZ 0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ iTunesHelper
hkey REG_SZ HKLM
inimapping REG_SZ 0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
item REG_SZ KernelFaultCheck
command REG_SZ %systemroot%\system32\dumprep 0 -k
hkey REG_SZ HKLM
key REG_SZ Run

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mserv
item REG_SZ mserv
hkey REG_SZ HKEY_CURRENT_USER
key REG_SZ Run

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroCheck
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ NeroCheck
hkey REG_SZ HKLM
command REG_SZ C:\WINDOWS\system32\NeroCheck.exe
inimapping REG_SZ 0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key REG_SZ Run
item REG_SZ QuickTime Task
hkey REG_SZ HKLM
command REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping REG_SZ 0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl
item REG_SZ RemoteControl
command REG_SZ c:\windows\system32\rmctrl.exe
hkey REG_SZ HKLM
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
inimapping REG_SZ 0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RoxioDragToDisc
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ DrgToDsc
hkey REG_SZ HKLM
inimapping REG_SZ 0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SoundMan
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ SOUNDMAN
hkey REG_SZ HKLM
command REG_SZ SOUNDMAN.EXE
inimapping REG_SZ 0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ SunJavaUpdateSched
hkey REG_SZ HKLM
command REG_SZ "c:\program files\java\jre6\bin\jusched.exe"
inimapping REG_SZ 0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\swg
key REG_SZ Run
item REG_SZ swg
hkey REG_SZ HKEY_CURRENT_USER
inimapping REG_SZ 0
command REG_SZ "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
item REG_SZ TkBellExe
command REG_SZ "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
hkey REG_SZ HKLM
key REG_SZ Run

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\updateMgr
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ AdobeUpdateManager
hkey REG_SZ HKCU
command REG_SZ "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
inimapping REG_SZ 0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WMPNSCFG
item REG_SZ WMPNSCFG
command REG_SZ C:\Program Files\Windows Media Player\WMPNSCFG.exe
hkey REG_SZ HKEY_CURRENT_USER
key REG_SZ Run

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\services
Lavasoft Ad-Aware Service REG_DWORD 0x2
Winsock - Google Desktop Search Backup Before First Install REG_DWORD 0x3
Winsock - Google Desktop Search Backup Before Last Install REG_DWORD 0x3
ALG REG_DWORD 0x3
AppMgmt REG_DWORD 0x3
aspnet_state REG_DWORD 0x3
AudioSrv REG_DWORD 0x2
BITS REG_DWORD 0x3
Browser REG_DWORD 0x2
CiSvc REG_DWORD 0x3
ClipSrv REG_DWORD 0x4
clr_optimization_v2.0.50727_32 REG_DWORD 0x3
COMSysApp REG_DWORD 0x3
CryptSvc REG_DWORD 0x2
Dhcp REG_DWORD 0x2
dmadmin REG_DWORD 0x3
dmserver REG_DWORD 0x3
Dnscache REG_DWORD 0x2
Dot3svc REG_DWORD 0x3
EapHost REG_DWORD 0x3
ERSvc REG_DWORD 0x2
Eventlog REG_DWORD 0x2
EventSystem REG_DWORD 0x3
FastUserSwitchingCompatibility REG_DWORD 0x3
FontCache3.0.0.0 REG_DWORD 0x3
gupdate1c9b63b8cc7536e REG_DWORD 0x2
gusvc REG_DWORD 0x3
helpsvc REG_DWORD 0x2
HidServ REG_DWORD 0x2
hkmsvc REG_DWORD 0x3
HPZid412 REG_DWORD 0x3
HPZipr12 REG_DWORD 0x3
HPZius12 REG_DWORD 0x3
HTTPFilter REG_DWORD 0x3
IDriverT REG_DWORD 0x3
idsvc REG_DWORD 0x3
ImapiService REG_DWORD 0x3
JavaQuickStarterService REG_DWORD 0x2
lanmanserver REG_DWORD 0x2
lanmanworkstation REG_DWORD 0x2
LmHosts REG_DWORD 0x2
mnmsrvc REG_DWORD 0x3
MSDTC REG_DWORD 0x3
MSIServer REG_DWORD 0x3
napagent REG_DWORD 0x3
Netlogon REG_DWORD 0x3
Netman REG_DWORD 0x3
Nla REG_DWORD 0x3
NtLmSsp REG_DWORD 0x3
NtmsSvc REG_DWORD 0x3
PCTCore REG_DWORD 0x0
PlugPlay REG_DWORD 0x2
PolicyAgent REG_DWORD 0x2
ProtectedStorage REG_DWORD 0x2
RasAuto REG_DWORD 0x3
RasMan REG_DWORD 0x3
RDSessMgr REG_DWORD 0x3
RemoteAccess REG_DWORD 0x4
RSVP REG_DWORD 0x3
SamSs REG_DWORD 0x2
SCardSvr REG_DWORD 0x3
Schedule REG_DWORD 0x2
sdAuxService REG_DWORD 0x2
sdCoreService REG_DWORD 0x2
seclogon REG_DWORD 0x2
SENS REG_DWORD 0x2
SharedAccess REG_DWORD 0x2
ShellHWDetection REG_DWORD 0x2
Spooler REG_DWORD 0x2
sptd REG_DWORD 0x0
srservice REG_DWORD 0x2
SSDPSRV REG_DWORD 0x2
StarOpen REG_DWORD 0x1
stisvc REG_DWORD 0x2
SwPrv REG_DWORD 0x3
SysmonLog REG_DWORD 0x3
TapiSrv REG_DWORD 0x3
TermService REG_DWORD 0x3
Themes REG_DWORD 0x2
TrkWks REG_DWORD 0x2
upnphost REG_DWORD 0x3
vaxscsi REG_DWORD 0x3
VSS REG_DWORD 0x2
W32Time REG_DWORD 0x2
WebClient REG_DWORD 0x2
winmgmt REG_DWORD 0x2
WmdmPmSN REG_DWORD 0x3
Wmi REG_DWORD 0x3
WmiApSrv REG_DWORD 0x3
WMPNetworkSvc REG_DWORD 0x2
wscsvc REG_DWORD 0x2
wuauserv REG_DWORD 0x2
WZCSVC REG_DWORD 0x2
xmlprov REG_DWORD 0x3


all copy and rename procedures executed successfully