# regedit files?



## korenza

earlier i downloaded an .exe and used it and ever since then (ive uninstalled it previously) my "automatic updates" section of the microsoft security center has been disabled and i cannot reenable it. ive gone to automatic updates and enabled the automatic (recommended) option and applied it but it still says that on my taskbar that the automatic updates are off... 
so ive been looking around and i went on regedit to "HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ WindowsUpdate \ AU" where my windows update registry keys were supposed to be but they were gone...

so assuming that the thing i installed removed the windows update reg keys... is there  a way i can restore just those registry keys? like downloading the default files off the internet and reenabling them?

i dont know a whole lot about how this works so if someone could give me some ideas or give me a link on where i can download the default reg files... that would be nice.

thanks for your time.


----------



## cohen

System restore to a day where it wasn't installed.


----------



## korenza

already tried that... the last point i can go to was right after i used the corrupted file
now i cant use windows updates at all... even if i go to the link on the windows page it wont let me because automatic updates are always turned off


----------



## G25r8cer

korenza said:


> earlier i downloaded an .exe and used it and ever since then (ive uninstalled it previously) my "automatic updates" section of the microsoft security center has been disabled and i cannot reenable it. ive gone to automatic updates and enabled the automatic (recommended) option and applied it but it still says that on my taskbar that the automatic updates are off...
> so ive been looking around and i went on regedit to "HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ WindowsUpdate \ AU" where my windows update registry keys were supposed to be but they were gone...
> 
> so assuming that the thing i installed removed the windows update reg keys... is there  a way i can restore just those registry keys? like downloading the default files off the internet and reenabling them?
> 
> i dont know a whole lot about how this works so if someone could give me some ideas or give me a link on where i can download the default reg files... that would be nice.
> 
> thanks for your time.



There is no file there anyways! It is just a default key


----------



## GameMaster

I'm sure one program could solve the Windows Updates, if your computer isn't infected. 
Sometimes Trojans disable the updates, but it may just be some...usual problem.

Download Dial-a-Fix. Extract it to Dial-a-Fix folder and run it ( that's the first icon, the left one ).
When you opened the file, you should be able to see some choices like Prep, MSI, WU/WUAU and so on.

Check the Fix Windows Update box. That should automatically check the next three boxes. That should be enough, but I always check all the boxes ( for extra effect ). When you choose what you want to check, click *Go* ( in the lower left corner ).

Does your problem still exist?


----------



## G25r8cer

^^ Dial-a-Fix works great


----------



## korenza

ahhh youre right. it isnt just me. theres no keys there anyways...

kay so ill try dial-a-fix and see if i can fix this...

oh and btw i figured out what i got... it was antivirus2008.exe

i looked it up and apparently its a pretty well known spyware or something like that... i just dont know how to fix it

EDIT: i did all that stuff and clicked the check box with the other three boxes checked and pressed go... and after it did all that registering and stuff i got a error 0x80070005 access denied  then it continues after i press okay with the stop services box unchecked and now i get another error "Error -2147023824" then it continues with the "register WUAU dlls" box unchecked... that didnt work either.. anddd now it doesnt have anything checked in on windows updates...


----------



## M0LD0V4N

Search up TuneUp Utilities 2008 on google.. And install it as a Trial.
I forgot which option Recreated the Whole Registry. But try anything that has Registry in it
Like Registry Defrag, Clean. Hope this helps. If you solve your problem remove TuneUp Utilities 2008 its gonna be useless since its a trial.


----------



## GameMaster

No. This is definitely a virus infection. And a big one.

*Download and Run ComboFix* 
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.* 

*Download this file* from one of the three below listed places : 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe 
http://www.forospyware.com/sUBs/ComboFix.exe 
http://subs.geekstogo.com/ComboFix.exe 

Then double click *combofix.exe* & follow the prompts. 
When finished, it shall produce *a log* for you. *Post that log* in your next reply 
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall* 

Combofix should never take more that 20 minutes including the reboot if malware is detected. 
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue. 
If that happened we want to know, and also what process you had to end.


----------



## korenza

okay... heres my log...

ComboFix 08-06-20.4 - Korenza 2008-06-22 12:49:54.1 - NTFSx86
Running from: C:\Documents and Settings\Korenza\Desktop\ComboFix.exe
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\smante~1
C:\Program Files\MyWay
C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
C:\Program Files\MyWay\SrchAstt\1.bin\PARTNER.DAT
C:\Program Files\MyWay\SrchAstt\1.bin\UNINSTAL.INF
C:\Program Files\MyWay\SrchAstt\Cache\files.ini
C:\WINDOWS\eptb.exe
C:\WINDOWS\kvsdpfeaglr.dll
C:\WINDOWS\rnopbfgt.dll
C:\WINDOWS\rtsplgob.dll
C:\WINDOWS\system32\aabKknmp.ini
C:\WINDOWS\system32\aabKknmp.ini2
C:\WINDOWS\system32\cixcpxvp.ini
C:\WINDOWS\system32\drnbxnuu.ini
C:\WINDOWS\system32\ejwntwvl.ini
C:\WINDOWS\system32\epciaikf.dll
C:\WINDOWS\system32\fkiaicpe.ini
C:\WINDOWS\system32\MSVolume.dll
C:\WINDOWS\system32\pmnkKbaa.dll
C:\WINDOWS\system32\sysmwwod.dll
C:\WINDOWS\system32\urqRKCsr.dll
C:\WINDOWS\system32\wnscptr.exe
C:\WINDOWS\system32\ywawwdhv.ini
C:\WINDOWS\xkefqtgs.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


(((((((((((((((((((((((((   Files Created from 2008-05-22 to 2008-06-22  )))))))))))))))))))))))))))))))
.

2082-05-15 20:44 . 2007-07-30 19:18	34,136	--a------	C:\WINDOWS\system32\wucltui.dll.mui
2082-05-15 20:44 . 2007-07-30 19:19	25,944	--a------	C:\WINDOWS\system32\wuaucpl.cpl.mui
2082-05-15 20:44 . 2007-07-30 19:19	25,944	--a------	C:\WINDOWS\system32\wuapi.dll.mui
2082-05-15 20:44 . 2007-07-30 19:18	20,312	--a------	C:\WINDOWS\system32\wuaueng.dll.mui
2008-09-01 18:01 . 2008-04-08 20:25	<DIR>	d--------	C:\Program Files\Winamp
2008-08-25 15:45 . 2007-07-25 21:53	129,784	--a------	C:\WINDOWS\system32\pxafs.dll
2008-08-13 18:22 . 2008-05-09 18:28	<DIR>	d--------	C:\Documents and Settings\Korenza\Application Data\Xfire
2008-08-11 19:06 . 2008-08-11 19:06	<DIR>	d--------	C:\Documents and Settings\Korenza\Application Data\Lavasoft
2008-08-03 18:09 . 2008-08-03 18:09	2,560	--a------	C:\WINDOWS\_MSRSTRT.EXE
2008-07-31 16:02 . 2008-07-31 16:02	<DIR>	d--------	C:\Documents and Settings\Korenza\AbiSuite
2008-07-30 17:56 . 2008-05-23 10:53	<DIR>	d--------	C:\Program Files\QuickTime
2008-07-30 17:54 . 2007-12-28 12:04	<DIR>	d----c---	C:\WINDOWS\system32\DRVSTORE
2008-07-21 09:26 . 2008-07-21 09:26	<DIR>	d--------	C:\Documents and Settings\Korenza\Application Data\Apple Computer
2008-07-17 18:26 . 2007-12-20 23:57	<DIR>	d--------	C:\Documents and Settings\Korenza\Application Data\GetRightToGo
2008-07-04 18:09 . 2008-07-04 18:09	303	--a------	C:\WINDOWS\ST6UNST.006
2008-07-04 18:09 . 2008-07-04 18:09	303	--a------	C:\WINDOWS\ST6UNST.005
2008-07-04 18:09 . 2008-07-04 18:09	303	--a------	C:\WINDOWS\ST6UNST.004
2008-07-04 18:07 . 2008-07-04 18:07	303	--a------	C:\WINDOWS\ST6UNST.003
2008-07-04 18:02 . 2008-07-04 18:02	303	--a------	C:\WINDOWS\ST6UNST.002
2008-07-02 17:56 . 2008-07-02 17:56	303	--a------	C:\WINDOWS\ST6UNST.001
2008-06-29 23:54 . 2008-06-29 23:54	<DIR>	d--------	C:\Documents and Settings\Korenza\Application Data\DivX
2008-06-28 21:24 . 2008-06-14 23:48	<DIR>	d--------	C:\Documents and Settings\Korenza\Application Data\Azureus
2008-06-28 21:21 . 2008-06-28 21:21	<DIR>	d--------	C:\Documents and Settings\Korenza\Application Data\Talkback
2008-06-28 20:15 . 2008-06-14 23:49	<DIR>	d--------	C:\Documents and Settings\Korenza
2008-06-23 14:34 . 2006-11-07 22:01	66,048	--a------	C:\WINDOWS\ieResetIcons.exe
2008-06-22 01:37 . 2008-06-22 12:41	<DIR>	d--------	C:\Program Files\Spyware Doctor
2008-06-22 01:37 . 2008-06-22 01:37	<DIR>	d--------	C:\Documents and Settings\Korenza\Application Data\PC Tools
2008-06-22 01:37 . 2007-12-10 14:53	81,288	--a------	C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-22 01:37 . 2007-12-10 14:53	66,952	--a------	C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-22 01:37 . 2008-02-01 12:55	42,376	--a------	C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-22 01:37 . 2007-12-10 14:53	29,576	--a------	C:\WINDOWS\system32\drivers\kcom.sys
2008-06-22 01:11 . 2008-06-22 01:37	<DIR>	d--------	C:\WINDOWS\system32\CatRoot2
2008-06-22 00:39 . 2008-06-22 00:39	91,904	--a------	C:\WINDOWS\system32\vhdwwawy.dll
2008-06-22 00:22 . 2008-06-22 00:22	<DIR>	d--------	C:\Program Files\Windows Defender
2008-06-21 23:14 . 2008-06-21 23:14	91,904	--a------	C:\WINDOWS\system32\uunxbnrd.dll
2008-06-19 17:28 . 2008-06-19 17:28	50	--a------	C:\WINDOWS\system32\fmls.mzo
2008-06-15 00:35 . 2008-06-15 00:40	<DIR>	d--------	C:\Program Files\Search And Destroy
2008-06-15 00:12 . 2008-06-15 00:12	<DIR>	d--h-----	C:\WINDOWS\system32\GroupPolicy
2008-06-15 00:03 . 2008-06-15 00:46	<DIR>	d--------	C:\Program Files\Microsoft Silverlight
2008-06-14 22:16 . 2008-06-14 22:16	<DIR>	d--------	C:\Program Files\Veoh Networks
2008-06-14 17:51 . 2008-07-12 18:27	6,080	--a------	C:\WINDOWS\system32\mhdb.mzo
2008-06-14 13:24 . 2008-06-14 23:48	<DIR>	d--------	C:\Program Files\Tweak Manager
2008-06-14 12:44 . 2008-06-14 23:48	<DIR>	d---s----	C:\Documents and Settings\Korenza\UserData
2008-06-13 23:36 . 2008-06-13 20:57	81,920	--a------	C:\WINDOWS\pebgkxwq.exe
2008-06-13 22:24 . 2008-08-02 22:48	4,753	--a------	C:\WINDOWS\system32\fms.mzo
2008-06-13 22:23 . 2008-06-13 22:23	8,704	--a------	C:\WINDOWS\system32\sporder.dll
2008-06-11 00:30 . 2008-06-22 01:39	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-10 13:59 . 2008-04-14 06:01	272,128	---------	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 13:59 . 2008-04-14 06:01	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-04 22:16 . 2008-06-04 22:16	<DIR>	d--------	C:\Program Files\Common Files\eSellerate
2008-06-04 22:07 . 2004-12-06 06:10	192,512	--a------	C:\WINDOWS\system32\ssresources.dll
2008-06-04 22:07 . 2006-05-08 19:59	49,152	--a------	C:\WINDOWS\system32\AIMDL.exe
2008-06-03 21:01 . 2008-06-03 21:01	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\PC Drivers Headquarters
2008-06-03 20:48 . 2008-06-03 20:48	<DIR>	d--------	C:\nc100v2
2008-06-03 20:11 . 2008-06-14 12:44	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-03 20:10 . 2008-06-03 20:10	<DIR>	d--------	C:\WINDOWS\nvidia icons
2008-06-03 20:09 . 2008-05-02 22:46	181,895	--a------	C:\WINDOWS\system32\nvdsp.chm
2008-06-03 20:09 . 2008-05-02 22:46	121,529	--a------	C:\WINDOWS\system32\nvcpl.chm
2008-06-03 20:09 . 2008-05-02 22:46	116,384	--a------	C:\WINDOWS\system32\nv3d.chm
2008-06-03 20:09 . 2008-05-02 22:46	54,988	--a------	C:\WINDOWS\system32\nvmob.chm
2008-06-03 20:02 . 2008-06-03 20:02	<DIR>	d--------	C:\Program Files\SystemRequirementsLab
2008-06-01 19:25 . 2004-08-03 23:07	59,264	--a------	C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-06-01 19:25 . 2004-08-03 23:07	59,264	--a--c---	C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-05-23 11:31 . 2007-07-30 19:19	30,072	--a------	C:\WINDOWS\system32\mucltui.dll.mui
2008-05-23 10:54 . 2008-05-23 10:54	<DIR>	d--------	C:\Program Files\iTunes
2008-05-23 10:54 . 2008-05-23 10:54	<DIR>	d--------	C:\Program Files\iPod
2008-05-23 10:47 . 2008-05-23 10:47	<DIR>	d--------	C:\Program Files\Apple Software Update
2008-05-22 17:22 . 2008-05-22 17:22	3,596,288	--a------	C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 17:22 . 2008-05-22 17:22	524,288	--a------	C:\WINDOWS\system32\DivXsm.exe
2008-05-22 17:22 . 2008-05-22 17:22	4,816	--a------	C:\WINDOWS\system32\divxsm.tlb
2008-05-22 17:20 . 2008-05-22 17:20	1,044,480	--a------	C:\WINDOWS\system32\libdivx.dll
2008-05-22 17:20 . 2008-05-22 17:20	200,704	--a------	C:\WINDOWS\system32\ssldivx.dll
2008-05-22 17:19 . 2008-05-22 17:19	196,608	--a------	C:\WINDOWS\system32\dtu100.dll
2008-05-22 17:19 . 2008-05-22 17:19	161,096	--a------	C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 17:19 . 2008-05-22 17:19	81,920	--a------	C:\WINDOWS\system32\dpl100.dll
2008-05-22 17:19 . 2008-05-22 17:19	416	--a------	C:\WINDOWS\system32\dtu100.dll.manifest
2008-05-22 17:19 . 2008-05-22 17:19	416	--a------	C:\WINDOWS\system32\dpl100.dll.manifest
2008-05-22 17:18 . 2008-05-22 17:18	12,288	--a------	C:\WINDOWS\system32\DivXWMPExtType.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 00:53	---------	d-----w	C:\WINDOWS\system32\config\systemprofile\Application Data\Xfire
2008-08-14 05:48	---------	d-----w	C:\Documents and Settings\LocalService\Application Data\Xfire
2008-08-12 00:54	---------	d-----w	C:\Program Files\StarOffice6.0
2008-08-03 23:13	---------	d-----w	C:\Program Files\Tyan Computer Corp
2008-06-30 04:21	---------	d-----w	C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-22 18:01	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-22 06:22	---------	d-----w	C:\Program Files\New Folder
2008-06-15 05:52	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-15 05:44	---------	d-----w	C:\Program Files\Spybot - Search & Destroy
2008-06-15 03:17	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-06-12 18:35	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-06-11 05:32	---------	d-----w	C:\Program Files\Google
2008-06-10 23:02	---------	d-----w	C:\Program Files\DivX
2008-06-08 03:39	---------	d-----w	C:\Program Files\Azureus
2008-06-04 01:11	---------	d-----w	C:\Program Files\Yahoo!
2008-05-30 19:24	---------	d--h--r	C:\Documents and Settings\Korenza\Application Data\yahoo!
2008-05-17 16:45	---------	d-----w	C:\Program Files\Real Alternative
2008-05-17 16:45	---------	d-----w	C:\Program Files\Microsoft Works
2008-05-11 22:03	---------	d-----w	C:\Program Files\Smart PDF Converter
2008-05-11 21:59	---------	d-----w	C:\Documents and Settings\Korenza\Application Data\Nitro PDF
2008-05-08 12:28	202,752	----a-w	C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 00:57	---------	d-----r	C:\Program Files\Xfire
2008-05-07 21:58	---------	d-----w	C:\Program Files\VideoLAN
2008-05-07 21:57	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-07 21:56	---------	d-----w	C:\Program Files\AIM
2008-05-07 21:56	---------	d-----w	C:\Documents and Settings\Korenza\Application Data\Aim
2008-05-03 03:46	6,554,496	----a-w	C:\WINDOWS\system32\drivers\nv4_mini.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{573E5206-B092-4111-B5E0-A8580F026F03}"= "C:\WINDOWS\rtsplgob.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{573e5206-b092-4111-b5e0-a8580f026f03}]
[HKEY_CLASSES_ROOT\rtsplgob.1]
[HKEY_CLASSES_ROOT\TypeLib\{2244A59D-8464-46DA-B920-C8039784C554}]
[HKEY_CLASSES_ROOT\rtsplgob]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nolan^Start Menu^Programs^Startup^StarOffice 6.0.lnk]
backup=C:\WINDOWS\pss\StarOffice 6.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2000-08-15 20:25 28739 C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-02 22:46 13529088 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 22:46 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:6112
"6112:UDP"= 6112:UDP:6112
"5738:TCP"= 5738:TCP:a
"41414:TCP"= 41414:TCP:a
"41414:UDP"= 41414:UDP:a
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

.
Contents of the 'Scheduled Tasks' folder
"2008-06-22 17:29:50 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-22 18:00:11 C:\WINDOWS\Tasks\Windows Update.job"
- C:\WINDOWS\system32\wupdmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 13:02:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\GRT\WClient\WCSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-06-22 13:04:44 - machine was rebooted
ComboFix-quarantined-files.txt  2008-06-22 18:04:40

Pre-Run: 131,133,431,808 bytes free
Post-Run: 131,696,807,936 bytes free

251	--- E O F ---	2008-06-10 20:30:41

btw i dunno if this helps or not but after it was done with the scan/delete process and it was about to reboot my computer it opened up explorer at the page update.microsoft.com but it said it couldnt connect to the page...

also, the problem hasnt been fixed... i still cant turn on automatic updates and the windows security alert "wscntfy.exe" is still on


----------



## korenza

i ended up going to update.microsoft.com and searched for updates there... and it said that the files on my computer needed to use windows updates were no longer (detected?) on my computer.. so it had an option of installing those files... so i did that and now it works...


----------



## GameMaster

OK, but I think we should continue fixing your computer, as it still seems to be infected.
*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).* 

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account. 


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*. 
Click *Format*, and ensure *Word Wrap* is unchecked. 
Copy and Paste the text in the box below into *Notepad*. 
Now save the file as *RemoveFiles.txt* in a location where you can find it. 



> Files to delete:
> C:\WINDOWS\_MSRSTRT.EXE
> C:\WINDOWS\ST6UNST.006
> C:\WINDOWS\ST6UNST.005
> C:\WINDOWS\ST6UNST.004
> C:\WINDOWS\ST6UNST.003
> C:\WINDOWS\ST6UNST.002
> C:\WINDOWS\ST6UNST.001
> C:\WINDOWS\system32\vhdwwawy.dll
> C:\WINDOWS\system32\uunxbnrd.dll
> C:\WINDOWS\system32\fmls.mzo
> C:\WINDOWS\system32\mhdb.mzo
> C:\WINDOWS\pebgkxwq.exe
> C:\WINDOWS\system32\fms.mzo



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system. 

Start *Avenger* by double clicking on *Avenger.exe*. 

Check *Load script from file:* 
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*. 
Double click it to enter it into Avenger. 
Click the *green traffic light symbol*. 
You will be asked if you want to execute the script, answer *Yes*. 
At this point you may get prompts from your protection systems, allow them please. 
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately. 
Answer *Yes*, and allow your computer to re-boot. 
Upon re-boot a command window will briefly appear on screen (this is normal). 
A Notepad text file will be created *C:\avenger.txt*. 
*Copy and Paste it into your next post please.* 

Please post a HijackThis log ( fresh one ). Is your system running better now?


----------



## korenza

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\_MSRSTRT.EXE" deleted successfully.
File "C:\WINDOWS\ST6UNST.006" deleted successfully.
File "C:\WINDOWS\ST6UNST.005" deleted successfully.
File "C:\WINDOWS\ST6UNST.004" deleted successfully.
File "C:\WINDOWS\ST6UNST.003" deleted successfully.
File "C:\WINDOWS\ST6UNST.002" deleted successfully.
File "C:\WINDOWS\ST6UNST.001" deleted successfully.
File "C:\WINDOWS\system32\vhdwwawy.dll" deleted successfully.
File "C:\WINDOWS\system32\uunxbnrd.dll" deleted successfully.
File "C:\WINDOWS\system32\fmls.mzo" deleted successfully.
File "C:\WINDOWS\system32\mhdb.mzo" deleted successfully.
File "C:\WINDOWS\pebgkxwq.exe" deleted successfully.
File "C:\WINDOWS\system32\fms.mzo" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.




Wow... after I used ComboFix I cant use the Windows Security Center now... I cant use Add/Delete Programs... cant use yahoo messenger or a bunch of other programs... pretty much all the ones included in the combofix log i posted... and i cant uninstall or reinstall like any programs...
combofix seriously ****ed it up... at least before i could actually install and remove programs.. now i cant do anything except firefox and internet explorer


----------

