trouble with Vista desktop PC

Okay these logs are basically clean, but will cleanup some miscellaneous junk anyway from them.


Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.

• Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

:OTL
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaulturl: "[URL]http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=14542[/URL]"
FF - prefs.js..browser.search.order.2: "Ask.com"
FF - prefs.js..extensions.enabledItems: [email]engine@conduit.com[/email]:3.2.5.2
FF - prefs.js..keyword.URL: "[URL]http://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q[/URL]="
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.775: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.775: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=1.0.0.0: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.775: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=:  File not found
[2011/01/24 16:05:26 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\Burtis\AppData\Roaming\Mozilla\Firefox\Profiles\mfnritcu.default\extensions\engine@conduit.com
[2010/12/30 18:06:50 | 000,002,567 | ---- | M] () -- C:\Users\Burtis\AppData\Roaming\Mozilla\Firefox\Profiles\mfnritcu.default\searchplugins\askcom.xml
[2009/10/02 17:08:48 | 000,009,941 | ---- | M] () -- C:\Users\Burtis\AppData\Roaming\Mozilla\Firefox\Profiles\mfnritcu.default\searchplugins\mywebsearch.xml
[2010/10/05 17:10:33 | 000,002,226 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2011/11/06 16:20:26 | 000,001,945 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing-zugo.xml
O3 - HKU\S-1-5-21-185151272-2915833946-728350550-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-185151272-2915833946-728350550-1000\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O4 - Startup: C:\Users\Henry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk =  File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [URL]http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab[/URL] (Java Plug-in 1.6.0_24)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [URL]http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab[/URL] (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [URL]http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab[/URL] (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [URL]http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab[/URL] (Java Plug-in 1.6.0_24)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [URL]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/URL] (Reg Error: Key error.)
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]

[REBOOT]

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now refer back to the instructions in message #46 for running Farbars Recovery Scan Tool and rerun a new scan. Attach the new log.

Also explain any problems that you may still be having.

 

Please download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\MGlogs.zip

Okay these remaining items may wind up needing to be worked in the Software Forum since they may be just Windows problems. And as far as the Print Spooler service goes, this may have been corrupted by your printer software. I suggest that you uninstall 100% of the printer software you have installed and then reboot and see if this changes.

 

Just keep it disabled until we finish all of our work in this forum.

It could be something left over from your infection.


Okay we need to edit the permissions settings on a registry key and then import a registry patch.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files". Just save the file for now.

Now please click Start, and type regedit into the search box.

• You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
• Right click on regedit.exe and select Run As Administrator

Now follow the below instructions for changing permissions for various registry keys using Regedit.

• First navigate to the below registry key and have it selected
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
• Then right click on this key and select Permissions
• Then on the Permissions for Root for click the Add button
• In the Enter the object names to select box type Everyone and click the Check Names button which should cause the Everyone text to be approved and underlined
• Then click the OK button which returns you to the Permissions for Root form
• Make sure you select Everyone from the upper list, and then in the Permissions form Everyone box, select Full Control and see if it allows you to click the Apply button.
  • If this worked okay to set Full Control for Everyone, skip all the way down to the purple heading below saying APPLYING THE REGISTRY PATCH.
  • If it did not allow you to set Full Control for Everyone, continue with the below.
• Click the Advanced button
• On this Advanced... form, select the Owner tab.
• On the Owner tab, do the next steps to add Everyone to owners and make Everyone the current owner
• Click the Other users of groups... button
• One the next form, in the Enter the object name to select box, type in Everyone and then click Check Names which will then verify that Everyone exists and will underline the text to show it was found
• Then click OK
• Then back on the Advanced Security Settings for Root form select Everyone and then click the Apply button. And then OK out of this form.
• Now you should be back at the Permissions for Root form.
• Select Everyone and see if you can now give Full Control by checking the box and clicking Apply.
• No matter whether it allows Full Control or not just close the Permission for Root form and continue with the below.

APPLYING THE REGISTRY PATCH

Now in the Registry Editor menu click File and then select Import. Navigate to the fixme.reg patch you saved to your Desktop and double click on it to select it to be imported. Tell me what happens ( exactly ).

Then no matter what happens above, continue with the below.

Reboot your PC and after reboot continue.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

 

Okay that last registry patch only manage to fix the upnphost service. Those other items all reverted back after the reboot. Let's try again, but this time after adding in the same registry patch from message #45, I want to get a new MGtools log before rebooting and then another after a reboot to see if it is the reboot that causes the keys to revert back. Also we will do the below first too!

First uninstall your Lexmark software as I requested awhile back.
Also uninstall Avira.

Do not continue unless you have uninstalled both of the above.

Please click Start and in the Start Search box type type services.msc into the box. When you see the services.msc icon appear up above in the list, right click on it and select Run As Administrator. This will open up the Services form. Scroll down to the Application Layer Gateway Service service and double click on it. Set the Startup type to Manual and then close the form for the ALG service.

Now locate the Background Intelligent Transfer Service service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Cryptographic Services service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Terminal Services Configuration service and Start it and set the Startup type to Manual, Did this Start?

Now locate the Volume Shadow Copy service and Start it and set the Startup type to Manual, Did this Start?

Now locate the Windows Defender service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Security Center service and Start it and set the Startup type to Automatic, Did this Start?

Now close the above services forms.

Now reapply the registry patch from message # 56.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\MGlogs.zip

Now reboot your PC and in a rerun GetLogs.bat again and attach another new MGlogs.zip.

 

Ah! So I was right all alnog that this issue was not due to malware and was due to your printer software.

I'm not seeing any reason why we cannot get these last few services to run properly. The always disable themselves again. At this point, I don't think we can repair this here as it is not malware at this point, it is residual damage to Windows. You may have to do a reinstall to get this fixed. I'm not sure if a Windows Repair would work. Possibly a reinstall of XP SP3 but even that I question.

 

They are of no use to you since they are all from the time where you already have all these problems.

Yes and no. When you install your own protection software, it will be it's own security center and if you install a good one which provides antivirus, antispyware, and firewall and it auto checks for updates...etc then you may just be okay without Windows Security Center and Defender. The thing is, you may have other services that are not starting too if you check in detail.

Sorry about that. For some reason I just forgot you had Vista and said XP SP3. The repair type options for Vista are more limited. There is a Startup Repair but you are not having startup problems. You could try the below with SFC

Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System File Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.

Install them and reboot and see if that helps with anything. You may get lucky and have some Windows update could potentially fix the problems.

You could also try running Microsoft's FixIt tool. I have never seen it be much help repairing anything but who knows. See this >> http://support.microsoft.com/fixit/ Or more direct link >> http://fixitcenter.support.microsoft.com/Portal

I suggest waiting until you try all the above stuff to fix Windows. Then if you still have the same problems and decide to live with them, try reinstalling the printer software. If your system behavior gets bad, you now know what to do to fix it.

 

Your welcome.

You would have to run services.msc to see the services and check their Startup types and Status and compair against a list of what they should be for your version of Windows. They can be different based on which version of Windows and whether it is a 32 bit or 64 bit system. This would be something you are better off doing in the Software Forum. but a site like BlackVipers may be of some use.