Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Hjt Log Hjt Log
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
Page 2 of 4 < 1 2 34 >
 
Thread Tools
Old 03-21-2007, 10:55 AM   #21 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista


Re: Hjt Log
Nice work.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now.

Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8D5849C4-93F3-429D-FF34-260A2068897C}]

[-HKEY_CLASSES_ROOT\CLSID\{8D5849C4-93F3-429D-FF34-260A2068897C}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{8D5849C4-93F3-429D-FF34-260A2068897C}"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Firewall auto setup"=-

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

Using 'My Computer, navigat to and delete this folder:

C:\Documents and Settings\Glenn\Application Data\ SystemDoctor 2006 Free

--------------------------------------------------------------------

Open HijackThis. Click on Open the Misc Tools Section.
  • On the screen, click on "Delete a file on reboot...".
  • Copy/paste C:\WINNT\system32\qch29sr.dll into the File Name field and click 'Open'
  • HJT will ask you if you want to reboot, now. Click "Yes".
--------------------------------------------------------------------

If you have internet access, please refer to my previous instructions for running the online scan at Panda. Be sure to save the results. **If you still cannot access the internet, continue with the remaining instructions.

--------------------------------------------------------------------

Run a new scan with ComboScan.exe and post the ComboScan.txt here.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-21-2007, 12:51 PM   #22 (permalink)
Registered User
 
Join Date: Dec 2004
Location: Austin TX
Posts: 169
OS: Vista


Re: Hjt Log
I haven't done anything yet. just been scoping to see if I have any question and I do before I destroy the computer some more
1) when i do this

Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8D5849C4-93F3-429D-FF34-260A2068897C}]

[-HKEY_CLASSES_ROOT\CLSID\{8D5849C4-93F3-429D-FF34-260A2068897C}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{8D5849C4-93F3-429D-FF34-260A2068897C}"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Firewall auto setup"=-


Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

I click on 'File Save as" question is what do I save it in Desktop??

--------------------------------------------------------------------

when I do this Using 'My Computer, navigat to and delete this folder:

C:\Documents and Settings\Glenn\Application Data\SystemDoctor 2006 Free

i am unable to find the folder I clicked on the search button and pasted the above in the search and it said "There are no results to display

-------------------------------------------------------------------
When I looked into thisOpen HijackThis. Click on Open the Misc Tools Section.
On the screen, click on "Delete a file on reboot...".
Copy/paste C:\WINNT\system32\qch29sr.dll into the File Name field and click 'Open'
HJT will ask you if you want to reboot, now. Click "Yes".
a box opened that said look in desktop and on the bottom file name. I just wnat to make sure that this is the right box that i copy and past into

Thanks for all your help as soon as I hear from you I will proceed forward.
hookem085 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-21-2007, 01:36 PM   #23 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista


Re: Hjt Log
Hiya,

1. Yes, save the delete.reg to your desktop.

2. For this folder, C:\Documents and Settings\Glenn\Application Data\ SystemDoctor 2006 Free do you still have hidden files displayed?

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

*If you still can't find it, just move along to the next step.

3.
Quote:
a box opened that said look in desktop and on the bottom file name. I just wnat to make sure that this is the right box that i copy and past into
Yes, that's the correct box--instead of having you 'look' for it, I'm having you just copy/paste the full path in and select 'Open'.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-21-2007, 03:40 PM   #24 (permalink)
Registered User
 
Join Date: Dec 2004
Location: Austin TX
Posts: 169
OS: Vista


Re: Hjt Log
I am connected barely. My homepage is diff. and where there are are suppose to be pictures there is a blank box with the red and blue dot box next to it. ( I don't know what to call that)

anyway I am going to send you everything except the panda scan for that will take sometime and I will do that next.

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:34:49 PM 3/21/2007

+ Scan result:



HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller.1 -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ncmyb.SABHO -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ncmyb.SABHO.1 -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ADM.ADM -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\ADM.ADM.1 -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\ADM25.ADM25 -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\ADM25.ADM25.1 -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\ADM4.ADM4 -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\ADM4.ADM4.1 -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\SigningModule.SigningModule -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\SigningModule.SigningModule.1 -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\TopSearch.TSLink -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\TopSearch.TSLink.1 -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\instafink.INSTAFINK -> Adware.InstaFinder : Error during cleaning.
HKLM\SOFTWARE\Classes\ISTx.Installer -> Adware.ISTBar : Error during cleaning.
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Adware.MediaMotor : Error during cleaning.
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer -> Adware.P2PNetworking : Error during cleaning.
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer.1 -> Adware.P2PNetworking : Error during cleaning.
HKLM\SOFTWARE\Classes\RXToolBar.TBInfo -> Adware.RXToolbar : Error during cleaning.
HKLM\SOFTWARE\Classes\RXToolBar.TBInfo.1 -> Adware.RXToolbar : Error during cleaning.
HKU\S-1-5-21-1292428093-1993962763-854245398-1005\Software\SystemDoctor 2006 Free -> Adware.Systemdoctor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1292428093-1993962763-854245398-1005\Software\SystemDoctor 2006 Free\Settings -> Adware.Systemdoctor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj -> Adware.WebHancer : Error during cleaning.
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj.1 -> Adware.WebHancer : Error during cleaning.
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Adware.YourSiteBar : Error during cleaning.
HKLM\SOFTWARE\Classes\Ysb.YsbObj -> Adware.YourSiteBar : Error during cleaning.
HKLM\SOFTWARE\Classes\Ysb.YsbObj.1 -> Adware.YourSiteBar : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent -> Adware.Zango : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent.1 -> Adware.Zango : Error during cleaning.
C:\System Volume Information\_restore{A1B4BBB5-6849-415C-9228-D7C24B33BDA5}\RP247\A0012889.exe -> Downloader.Zlob.atn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A1B4BBB5-6849-415C-9228-D7C24B33BDA5}\RP247\A0012884.dll -> Downloader.Zlob.ato : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A1B4BBB5-6849-415C-9228-D7C24B33BDA5}\RP247\A0012885.exe -> Downloader.Zlob.ato : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A1B4BBB5-6849-415C-9228-D7C24B33BDA5}\RP247\A0012893.exe -> Downloader.Zlob.ato : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A1B4BBB5-6849-415C-9228-D7C24B33BDA5}\RP246\A0011852.dll -> Downloader.Zlob.bpn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A1B4BBB5-6849-415C-9228-D7C24B33BDA5}\RP247\A0012855.dll -> Downloader.Zlob.bpn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A1B4BBB5-6849-415C-9228-D7C24B33BDA5}\RP247\A0012866.dll -> Downloader.Zlob.bpn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A1B4BBB5-6849-415C-9228-D7C24B33BDA5}\RP247\A0012886.dll -> Downloader.Zlob.bpn : Cleaned with backup (quarantined).

---------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 4:38:20 PM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Documents and Settings\Mary Kay\Desktop\Computer Geeks\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: C:\WINNT\system32\qch29sr.dll - {8D5849C4-93F3-429D-FF34-260A2068897C} - C:\WINNT\system32\qch29sr.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\MARYKA~1\LOCALS~1\Temp\winlogon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files...reeInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1151346326632
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128440500009
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://mhost236.theintelligentnetwork.com/msrdp.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)

-------------------------------------------------------------------

I am having trouble with smitfraud but I am sure I will get it going and I will start the Panda scan now and will respond in a while
hookem085 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-21-2007, 04:04 PM   #25 (permalink)
Registered User
 
Join Date: Dec 2004
Location: Austin TX
Posts: 169
OS: Vista


Re: Hjt Log
went into safemode and got smitfraud working.so here is that then I will start Panda

SmitFraudFix v2.150

Scan done at 16:51:23.51, Wed 03/21/2007
Run from C:\Documents and Settings\Mary Kay\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8D5849C4-93F3-429D-FF34-260A2068897C}"="Hex port setting"

[HKEY_CLASSES_ROOT\CLSID\{8D5849C4-93F3-429D-FF34-260A2068897C}\InProcServer32]
@="C:\WINNT\system32\qch29sr.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8D5849C4-93F3-429D-FF34-260A2068897C}\InProcServer32]
@="C:\WINNT\system32\qch29sr.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
hookem085 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-21-2007, 05:54 PM   #26 (permalink)
Registered User
 
Join Date: Dec 2004
Location: Austin TX
Posts: 169
OS: Vista


Re: Hjt Log
I am unable to do the Panda Virus scan. I can't really tell why. For I am still a barely able to get on line. Like I mentioned before My homepage is diff. and where there are are suppose to be pictures there is a blank box with the red and blue dot box next to it. ( I don't know what to call that)
And in order to get online I click on "internet" nothing at first except the Hour glass then I click on it again and it opens up but very slowly. I am however now able to send e-mail. So things a getting a little better. Let me know If I need to send you any other scans
hookem085 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-21-2007, 06:22 PM   #27 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista


Re: Hjt Log
Nice work getting those scans.

In order to determine my next course of action, I need to know the following:

1. What happened when you created the delete.reg and double-clicked on it? Did you see a final message stating that it merged successfully?

2. Did you scan with AVG A-S in Safe Mode or Normal Mode? If you scanned in Normal Mode, run the scan in Safe Mode an let's see if it can clean those entries this time around.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-21-2007, 06:28 PM   #28 (permalink)
Registered User
 
Join Date: Dec 2004
Location: Austin TX
Posts: 169
OS: Vista


Re: Hjt Log
1. What happened when you created the delete.reg and double-clicked on it? Did you see a final message stating that it merged successfully?
yes it stated that it merged successfully


2. Did you scan with AVG A-S in Safe Mode or Normal Mode? If you scanned in Normal Mode, run the scan in Safe Mode an let's see if it can clean those entries this time around. yes normal Mode will redo in Safe Mode. am currently trying to do a Panda scan again so it will be a while
hookem085 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-21-2007, 06:32 PM   #29 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista


Re: Hjt Log
Stop the Panda scan.

Your system is riddled with infections...You'll have a much easier time with that online scan if you can get AVG A-S to clean all those infections first.

Please post the AVG A-S results before you do anything else.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-21-2007, 08:06 PM   #30 (permalink)
Registered User
 
Join Date: Dec 2004
Location: Austin TX
Posts: 169
OS: Vista


Re: Hjt Log
ok will do
hookem085 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-21-2007, 09:54 PM   #31 (permalink)
Registered User
 
Join Date: Dec 2004
Location: Austin TX
Posts: 169
OS: Vista


Re: Hjt Log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:45:14 PM 3/21/2007

+ Scan result:



HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller.1 -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ncmyb.SABHO -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ncmyb.SABHO.1 -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ADM.ADM -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\ADM.ADM.1 -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\ADM25.ADM25 -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\ADM25.ADM25.1 -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\ADM4.ADM4 -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\ADM4.ADM4.1 -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\SigningModule.SigningModule -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\SigningModule.SigningModule.1 -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\TopSearch.TSLink -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\TopSearch.TSLink.1 -> Adware.Altnet : Error during cleaning.
HKLM\SOFTWARE\Classes\instafink.INSTAFINK -> Adware.InstaFinder : Error during cleaning.
HKLM\SOFTWARE\Classes\ISTx.Installer -> Adware.ISTBar : Error during cleaning.
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Adware.MediaMotor : Error during cleaning.
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer -> Adware.P2PNetworking : Error during cleaning.
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer.1 -> Adware.P2PNetworking : Error during cleaning.
HKLM\SOFTWARE\Classes\RXToolBar.TBInfo -> Adware.RXToolbar : Error during cleaning.
HKLM\SOFTWARE\Classes\RXToolBar.TBInfo.1 -> Adware.RXToolbar : Error during cleaning.
C:\Documents and Settings\Mary Kay\Desktop\SmitfraudFix\SmiUpdate.exe -> Adware.SmiUpdate : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj -> Adware.WebHancer : Error during cleaning.
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj.1 -> Adware.WebHancer : Error during cleaning.
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Adware.YourSiteBar : Error during cleaning.
HKLM\SOFTWARE\Classes\Ysb.YsbObj -> Adware.YourSiteBar : Error during cleaning.
HKLM\SOFTWARE\Classes\Ysb.YsbObj.1 -> Adware.YourSiteBar : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent -> Adware.Zango : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent.1 -> Adware.Zango : Error during cleaning.


::Report end
hookem085 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-21-2007, 10:04 PM   #32 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista


Re: Hjt Log
Interesting.

Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix)

----------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account.

----------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.
----------------------------------------------------------------

Try the delete.reg I gave you earlier, then reboot your system once again.

----------------------------------------------------------------

Run a new scan with ComboScan.exe and post the ComboScan.txt here along with the C:\SDFix\Report.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-22-2007, 06:54 AM   #33 (permalink)
Registered User
 
Join Date: Dec 2004
Location: Austin TX
Posts: 169
OS: Vista


Re: Hjt Log
"Try the delete.reg I gave you earlier, then reboot your system once again"
Could not do this I got this message, " Cannot import C:\Document and Settings\Mary kay \Desktop\delete.reg: The specified file is not a registry script. you can only import binary registry files from within the registry editor."

REPORTS:

ComboScan v20070306.20 run by Mary Kay on 2007-03-22 at 07:49:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mary Kay.exe) --------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:49:34 AM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\system32\ctfmon.exe
C:\DOCUME~1\MARYKA~1\LOCALS~1\Temp\winlogon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Documents and Settings\Mary Kay\Desktop\comboscan.exe
C:\DOCUME~1\MARYKA~1\Desktop\COMPUT~1\MARYKA~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\MARYKA~1\LOCALS~1\Temp\winlogon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files...reeInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1151346326632
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128440500009
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://mhost236.theintelligentnetwork.com/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)


-- Files created between 2007-02-22 and 2007-03-22 -----------------------------



-- Find3M Report ---------------------------------------------------------------

2007-03-22 07:37:55 0 d-------- C:\Documents and Settings\Mary Kay\Application Data\AdobeUM
2007-03-21 20:26:50 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-21 20:15:19 0 dr------- C:\Program Files\Messenger<MESSEN~1>
2007-03-21 20:12:26 0 d-------- C:\Program Files\iTunes
2007-03-21 20:08:52 0 d-------- C:\Program Files\Google
2007-03-21 20:00:01 0 d-------- C:\Program Files\AIM
2007-03-21 16:51:28 2174 --a------ C:\WINNT\system32\tmp.reg
2007-03-19 07:22:05 0 d-------- C:\Program Files\Grisoft
2007-03-18 13:22:09 0 d-------- C:\Program Files\Microsoft Picture It! PhotoPub<MICROS~7>
2007-03-18 02:10:47 1632 --a------ C:\WINNT\system32\d3d8caps.dat
2007-01-29 03:58:06 60416 -----n--- C:\WINNT\system32\tzchange.exe
2006-12-27 05:00:10 12288550 -----n--- C:\AVG7QT.DAT


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"Firewall auto setup"="C:\\DOCUME~1\\MARYKA~1\\LOCALS~1\\Temp\\winlogon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"