BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Explorer.exe disabled, task manager disabled, access denied cleanup software
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Explorer.exe disabled, task manager disabled, access denied cleanup software  
Forum Quick Jump
 
New Topic Post reply to : Explorer.exe disabled, task manager disabled, access denied cleanup software Printable version of : Explorer.exe disabled, task manager disabled, access denied cleanup software
43 posts in this thread.
Viewing Page :
 1  2 
[ << Previous Thread | Next Thread >> ]

krbam2
New Member


Date Joined Sep 2009
Total Posts : 24
 
   Posted 9/23/2009 3:23 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
I was reading this thread
 
and was unable to follow it to the new thread that was started.
 
I have exactly the same problem. I have a PC that I can only access in safe mode via the administrator account. I then get no desktop but I can get task manager via ctrl-alt-delete. Using the run command located on Task Manager, i have tried to clean this PC up. As was stated in the above post once any type of cleanup software is run it becomes unusable. Also the file and even the folder it is located in gets marked as read only. Unable to rename items or anything. What I have done is create new folders and put things in there to try and run them. I have taken the hard drive out and placed it in another computer as a secondary drive then I ran Mcafee. It found numerous trojans...vundo, generic.dx, and a few others - Mcafee cleaned what it was able. Once I had finished that I placed the drive back in the original computer - same behavior! I cannot log in any way except safe mode. A normal login gives just a garbled wallpaper with no icons, no start button. Ctrl-alt-del gives me 'Task Manager has been disabled by your Administrator" Have tried the accepted ways of re-enabling it. The DisableTaskManager registry key that is usually present causing this behavior is not there.
 
I realize I am heading for a re-install but would SURE like to find out exactly has the PC so hosed.
 
I appreciate any help - even just directing me to the follow-up thread of the above post
 
thanks
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 9/24/2009 1:39 AM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Although we have spoken via PM here, I do welcome you to BullGuard forums krbam2.


The situation there of course provides limited means of creating scan logs, so let's see if you can effect some changes, and post some logs from scans that may work for now. Most of my steps suggest download to the desktop, but unless I specifically say somewhere else you can do whatever it takes to gain access there.


Open Notepad (Start, Run type notepad and select Enter) and copy/paste the following text (inside the Code box).

[Version]
Signature="$CHICAGO$"

[DefaultInstall]
DelReg=Del.Settings

[Del.Settings]
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,NoFolderOptions


Save this as correct.inf

Where it says "Files of Type", select All Files and click on Save and save it to your desktop. Exit Notepad, Then right-click on correct.inf and select Install. This may return some Task Manager access, and can be re-used there if needed during repairs.

-----------------

Click here or here and download Win32kDiag.exe directly to your C drive folder, so it then is C:\Win32kDiag.exe.


Go to Start - Run, type cmd (and press OK). At the prompt type or copy/paste the following, pressing Enter after:

cd\
win32kdiag -r -f


Once that completes press any key to finish the scan. Post the new Win32kDiag.txt log with your next reply (it should be located on the desktop).

If you cannot do the command window run of that, see if you can just click the Win32kDiag.exe file and post that log.

----------------------

Open Gmer again. This time just right click in the white space in the display and select Options - Only non MS files. Then click Scan and allow Gmer to run a different scan. Once that completes click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

krbam2
New Member


Date Joined Sep 2009
Total Posts : 24
 
   Posted 9/24/2009 4:29 AM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Thank you for the response.
It is 9:30 PM here and the computer I am working on is at work. When I get there in the am I will follow the steps you have listed. I should them completed by 10 CST or so.
 
 
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 9/24/2009 5:31 AM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Hmmmm. I would ask right off why work's IT staff, or selected repairs service, is not effecting repairs on that system. "At work" suggests a computer owned by a business. Most of the specialty tools we use in these free help repairs are restricted to non-commercial use only by their authors. And so most often we refer business/agency repairs to those entities' own choice of repair solutions.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

krbam2
New Member


Date Joined Sep 2009
Total Posts : 24
 
   Posted 9/24/2009 3:12 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Well, the computer does not belong to work. It belongs to a friend's daughter. I just set them up here because I have the resources - like extra monitors and keyboards. Anyway - it is not work related or for commercial use.
Back to Top
 

krbam2
New Member


Date Joined Sep 2009
Total Posts : 24
 
   Posted 9/24/2009 3:45 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
OK. I followed your instructions. Very odd thing though, I placed the correct.inf file on the desktop and when I right clicked and chose install it ran combofix. I have tried combofix in the past couple days , but it never ran correctly - would always says "Combofix has detected rootkit activity and needs to reboot." Once I rebooted nothing happened and nothing had changed. Anyway - once it completed this time I went back and checked the file to make sure I hadn't clicked on the wrong thing by accident and I hadn't. The correct.inf was just as it was supposed to be and this time when I chose "install" it briefly popped up a cmd window that quickly closed. This is what I would have expected to happen before.

Then I ran win32kdiag - here is the log file results.
Running from: win32kdiag

Log file at : C:\Documents and Settings\Administrator.JILL\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\explorer.exe

Attempting to restore permissions of : C:\WINDOWS\explorer.exe

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\wmiprvse.exe

Finished!


NEXT bizarre thing. After running the above I saw that it was trying to restore permissions on explorer.exe (this has been nonfunctional since I started looking at the pc),so I tried running explorer from the run command and it started COMBOFIX again!!!!
Back to Top
 

krbam2
New Member


Date Joined Sep 2009
Total Posts : 24
 
   Posted 9/24/2009 3:46 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Guess I posted too quickly....I closed the combofix window and after a bit I got the dialog window that states windows is running in safe mode. When I clicked OK I got desktop icons!! THIS is progress. :-)
Back to Top
 

krbam2
New Member


Date Joined Sep 2009
Total Posts : 24
 
   Posted 9/24/2009 3:52 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Just thinking - could the running of combofix be due to it being in the "run once" reg key and only ran after the correct.inf made some change and then ran again once win32kdiag had restored permissions on explorer for the same reason??
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 9/25/2009 4:13 AM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
ComboFix sets many shell commands, and a chance one of those did not complete, and remains there. Malware has been doing plenty of strange permissions and other alterations that also are unpredictable. Are you able to run ComboFix where it completes, and creates a C:\ComboFix.txt log to post here? Also try Gmer again please.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

krbam2
New Member


Date Joined Sep 2009
Total Posts : 24
 
   Posted 9/25/2009 2:57 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
When I turned on the PC this am I still had a desktop, Yay! Combofix ran without issue. Here is the log
ComboFix 09-09-21.03 - Administrator 09/25/2009 7:41.4.1 - NTFSx86 MINIMAL
Running from: c:\my2\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\ebucusuboz.exe
c:\documents and settings\All Users\Documents\ohiwytan.sys
c:\documents and settings\All Users\Documents\wuma.exe
c:\program files\Common Files\cegisoral.exe
c:\program files\Shared
c:\program files\Shared\lib.sig
c:\recycler\S-1-5-21-1481908157-2778090379-637194718-500
c:\windows\aceqage.inf
c:\windows\ALCMTR.EXE
c:\windows\efitumykuq._dl
c:\windows\mark_32.dll
c:\windows\qabywew.pif
c:\windows\run.log
c:\windows\system32\41.exe
c:\windows\system32\aviz.exe
c:\windows\system32\buyoziyi.exe
c:\windows\system32\ecen.vbs
c:\windows\system32\fikuyelu.exe
c:\windows\system32\pihenedo.exe
c:\windows\system32\ubujifid.pif
c:\windows\system32\volizita.exe

-- Previous Run --

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))
.

2009-09-24 13:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-24 13:17 . 2009-09-24 13:14 47616 ----a-w- C:\Win32kDiag.exe
2009-09-23 13:50 . 2009-09-23 13:45 40 ----a-w- c:\windows\servcheck.bat
2009-09-22 15:39 . 2009-09-22 15:50 -------- d-----w- C:\mtFix18950m
2009-09-22 15:36 . 2009-09-22 15:38 -------- d-----w- C:\mtFix
2009-09-22 15:34 . 2009-09-22 15:49 -------- d-----w- C:\my2
2009-09-22 15:16 . 2009-09-22 15:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-22 15:10 . 2009-09-22 15:10 73488 ----a-w- c:\windows\system32\drivers\FILEM701.SYS
2009-09-22 13:43 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-22 13:43 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-21 16:02 . 2009-09-21 16:02 -------- d-----w- c:\documents and settings\Administrator.JILL\Application Data\Malwarebytes
2009-09-17 16:11 . 2009-09-17 16:11 19147 ----a-w- c:\windows\system32\ogavel.dat
2009-09-17 16:11 . 2009-09-17 16:11 10615 ----a-w- c:\windows\axuwyraq.com
2009-09-17 15:21 . 2009-09-17 15:21 13917 ----a-w- c:\program files\Common Files\okozyvy.dat
2009-09-08 20:58 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 13:24 . 2005-08-22 00:51 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-09-24 13:24 . 2005-08-12 00:38 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-09-17 16:11 . 2009-09-17 16:11 14769 ----a-w- c:\program files\Common Files\ydedeher.lib
2009-09-17 16:11 . 2009-09-17 16:11 10924 ----a-w- c:\program files\Common Files\galybyw.db
2009-08-25 17:06 . 2009-08-25 17:06 -------- d-----w- c:\program files\MSBuild
2009-08-25 17:06 . 2009-08-25 17:06 -------- d-----w- c:\program files\Reference Assemblies
2009-08-10 22:11 . 2009-08-09 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-10 22:11 . 2009-08-09 16:06 -------- d-----w- c:\program files\NOS
2009-08-09 16:06 . 2009-08-09 16:06 -------- d-----w- c:\program files\Google
2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-26 16:11 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-26 16:12 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-26 16:12 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-26 16:11 17408 ----a-w- c:\windows\system32\corpol.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"AlcFDMonitor"="c:\windows\ALCFDRTM.EXE" [2006-12-27 73728]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2005-05-12 90112]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-05-12 2805248]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 2508;2508;c:\windows\system32\2508.sys [x]
R3 6e54;6e54;c:\windows\system32\6e54.sys [x]
R3 7206;7206;c:\windows\system32\7206.sys [x]
R3 7343;7343;c:\windows\system32\7343.sys [x]
R3 9a87;9a87;c:\windows\system32\9a87.sys [x]
R3 a612;a612;c:\windows\system32\a612.sys [x]
R3 LSDND;LSDND;c:\docume~1\ADMINI~1.JIL\LOCALS~1\Temp\LSDND.exe [x]
R3 UQXZWEBD;UQXZWEBD; [x]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.
Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-09-22 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-09-17 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/
mStart Page = hxxp://www.google.com
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{fd360822-f0e5-4392-9d7a-d961a0e73d58} - perofile.dll
HKLM-Run-yipavogora - wemetuvi.dll
AddRemove-HijackThis - c:\documents and settings\Owner\Desktop\Cleanup\HijackThis.exe
AddRemove-Malwarebytes' Anti-Malware_is1 - c:\mystuff\MalwarebytMalwar\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-25 07:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\giffile\shell\Open\ddeexec]
@DACL=(02 0000)
@="\"file:%1\",,-1,,,,,"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1028)
c:\windows\system32\WININET.dll
.
Completion time: 2009-09-25 7:48
ComboFix-quarantined-files.txt 2009-09-25 12:48
ComboFix2.txt 2009-09-21 19:31

Pre-Run: 59,518,050,304 bytes free
Post-Run: 59,475,214,336 bytes free

173 --- E O F --- 2009-09-15 17:06


I am now running Gmer
Back to Top
 

krbam2
New Member


Date Joined Sep 2009
Total Posts : 24
 
   Posted 9/25/2009 3:01 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Gmer log...

GMER 1.0.15.15087 - http://www.gmer.net
Autostart scan 2009-09-25 08:00:03
Windows 5.1.2600 Service Pack 3


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll
igfxcui@DLLName = igfxsrvc.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe"
JavaQuickStarterService@ = "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
McAfeeFramework@ = "C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart
McShield@ = "C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe"
McTaskManager@ = "C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe"
MDM@ = "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
WMPNetworkSvc@ = "C:\Program Files\Windows Media Player\WMPNetwk.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@ShStatEXE"C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE = "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
@McAfeeUpdaterUI"C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey = "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
@AlcWzrdALCWZRD.EXE = ALCWZRD.EXE
@AlcFDMonitorC:\WINDOWS\ALCFDRTM.EXE = C:\WINDOWS\ALCFDRTM.EXE
ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{7F67036B-66F1-411A-AD85-759FB9C5B0DB} /*SampleView*/C:\WINDOWS\system32\ShellvRTF.dll = C:\WINDOWS\system32\ShellvRTF.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\VirusScan@{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\McAfee\VirusScan Enterprise\shext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\VirusScan@{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\McAfee\VirusScan Enterprise\shext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\VirusScan@{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\McAfee\VirusScan Enterprise\shext.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://www.google.com = http://www.google.com

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.gateway.com/ = http://www.gateway.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll

---- EOF - GMER 1.0.15 ----
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 9/25/2009 11:12 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Good, that put a solid dent in the malware there. I suspect much of what Gmer is picking up had to do with permissions changes there, so let's address that, then do more malware removal and repair.


Disable all security software.


Again Go to Start - Run, type cmd (and press OK). At the prompt type or copy/paste the following, pressing Enter after:

cd\
win32kdiag -r -f


Once that completes press any key to finish the scan. Post the new Win32kDiag.txt log with your next reply (it should be located on the desktop).

------------------

Download subinacl.msi from here to your desktop, then click the file to start the installer.

Accept any agreements, and when it suggests it install SubInACL.exe to it's "C:\Program Files\Windows Resource Kits\Tools\" folder, instead click Browse, and direct it to your C folder, so it will then be C:\SubInACL.exe.


Once you have done that open Notepad (Start - Run, type notepad then press Enter) and copy the following text into a new file:
cd /d "%programfiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f

Save the file to the desktop as "permdo.bat"

Make sure to use the quotes "" in the name.

Then double-click on permdo.bat. A window should open and you will see some procedures run --- this is normal. Once they have completed the changes the window should close.

--------------

Some of what that did may make part of the next ComboFix steps redundant, but better to make sure there. Also looks like some of the random named drivers showing are left behind by a past Rootkit Revealer scan, but again better to make sure.

Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

KillAll::
Driver::
2508
6e54
7206
7343
9a87
a612
LSDND
UQXZWEBD
File::
c:\windows\system32\ogavel.dat  
c:\windows\axuwyraq.com  
c:\program files\Common Files\okozyvy.dat 
c:\program files\Common Files\ydedeher.lib 
c:\program files\Common Files\galybyw.db 
Folder::
c:\docume~1\ADMINI~1.JIL\LOCALS~1\Temp
FCopy::
c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\system32\eventlog.dll
Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\giffile\shell\Open\ddeexec]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=dword:00000000


Save this to your desktop as CFScript.txt


You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Post that log, as well as the Win32kDiag.txt log please.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

krbam2
New Member


Date Joined Sep 2009
Total Posts : 24
 
   Posted 9/26/2009 12:46 AM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Win32kdiag log....
Running from: win32kdiag

Log file at : C:\Documents and Settings\Administrator.JILL\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!


Up until now I have been doing everything in Safe Mode because that was the only way to get anyt access. I logged in as Jill to install subinacl.msi as I could not do it in safe mode.

I ran the permdo.bat - it ran VERY quick. Barely say the command window.

ComboFix log using the CFScript file...
ComboFix 09-09-21.03 - Owner 2009-09-25 17:28.5.1 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\program files\Common Files\galybyw.db"
"c:\program files\Common Files\okozyvy.dat"
"c:\program files\Common Files\ydedeher.lib"
"c:\windows\axuwyraq.com"
"c:\windows\system32\ogavel.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1.JIL\LOCALS~1\Temp
c:\program files\Common Files\galybyw.db
c:\program files\Common Files\okozyvy.dat
c:\program files\Common Files\ydedeher.lib
c:\windows\axuwyraq.com
c:\windows\system32\ogavel.dat

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_2508
-------\Legacy_6E54
-------\Legacy_7206
-------\Legacy_7343
-------\Legacy_9A87
-------\Legacy_A612
-------\Legacy_LSDND
-------\Legacy_UQXZWEBD
-------\Service_2508
-------\Service_6e54
-------\Service_7206
-------\Service_7343
-------\Service_9a87
-------\Service_a612
-------\Service_LSDND
-------\Service_UQXZWEBD


((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))
.

2009-09-25 22:28 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-09-25 22:28 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-09-24 13:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-24 13:17 . 2009-09-24 13:14 47616 ----a-w- C:\Win32kDiag.exe
2009-09-23 13:50 . 2009-09-23 13:45 40 ----a-w- c:\windows\servcheck.bat
2009-09-22 15:39 . 2009-09-22 15:50 -------- d-----w- C:\mtFix18950m
2009-09-22 15:36 . 2009-09-22 15:38 -------- d-----w- C:\mtFix
2009-09-22 15:34 . 2009-09-22 15:49 -------- d-----w- C:\my2
2009-09-22 15:16 . 2009-09-22 15:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-22 15:10 . 2009-09-22 15:10 73488 ----a-w- c:\windows\system32\drivers\FILEM701.SYS
2009-09-22 13:43 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-22 13:43 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-21 16:02 . 2009-09-21 16:02 -------- d-----w- c:\documents and settings\Administrator.JILL\Application Data\Malwarebytes
2009-09-08 20:58 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 13:24 . 2005-08-22 00:51 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-09-24 13:24 . 2005-08-12 00:38 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-08-25 17:06 . 2009-08-25 17:06 -------- d-----w- c:\program files\MSBuild
2009-08-25 17:06 . 2009-08-25 17:06 -------- d-----w- c:\program files\Reference Assemblies
2009-08-10 22:11 . 2009-08-09 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-10 22:11 . 2009-08-09 16:06 -------- d-----w- c:\program files\NOS
2009-08-09 16:06 . 2009-08-09 16:06 -------- d-----w- c:\program files\Google
2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-26 16:11 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-26 16:12 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-26 16:12 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-26 16:11 17408 ----a-w- c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-25_12.46.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-25 22:18 . 2009-09-25 22:18 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-25 22:33 . 2009-09-25 22:33 16384 c:\windows\temp\Perflib_Perfdata_774.dat
+ 2009-09-25 22:18 . 2009-09-25 22:18 16384 c:\windows\temp\History\History.IE5\index.dat
+ 2009-09-25 22:18 . 2009-09-25 22:18 16384 c:\windows\temp\Cookies\index.dat
+ 2009-09-25 22:21 . 2009-09-25 22:21 279040 c:\windows\Installer\2e60e.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-09 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"AlcFDMonitor"="c:\windows\ALCFDRTM.EXE" [2006-12-27 73728]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2005-05-12 90112]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-05-12 2805248]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.
Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-09-25 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-09-17 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: myspace.com\www
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-25 17:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1352)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\McAfee\Common Framework\Mctray.exe
.
**************************************************************************
.
Completion time: 2009-09-25 17:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-25 22:39
ComboFix2.txt 2009-09-25 12:48
ComboFix3.txt 2009-09-21 19:31

Pre-Run: 58,947,788,800 bytes free
Post-Run: 58,986,528,768 bytes free

169 --- E O F --- 2009-09-15 17:06

I think I got all the instructions follwed. :-)
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 9/26/2009 1:53 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Looking much improved. That SubInACL procedure would not have run that quickly, so some part of that failed to work right.


Since you have it, open and update Malwarebytes.

* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform quick scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

-------

Download MS Sysinternal's Junction.zip from here to your desktop, then unzip that. Then in that folder locate the Junction.exe file, and place a copy of that directly on your desktop.

Go to Start - Run, and copy/paste the following command line, and then press OK:

cmd /c "%userprofile%\desktop\junction.exe" -s c:\ >log.txt&log.txt

Once you have accepted the agreement a command window will open. When the scan complete a log.txt will open in Notepad. Paste those contents back here please. This will also be saved as "log.txt" in your current user's folder (example - C:\Documents and Settings\yourusername).

Post those two logs please.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

krbam2
New Member


Date Joined Sep 2009
Total Posts : 24
 
   Posted 9/26/2009 5:49 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Malwarebytes will not install. It runs through the installation then I get this message

Run-time error 339
Component vbalsgrid6.ocx or one of its dependencies is not correctly registered.

I have googled the error and found something saying I needed to download and install vbrun60sp6.exe
I downloaded it but did not install because I do not want to do anything to hose up what we are doing with the pc.

I HAVE tried uninstalling Malwarebytes and rebooting then installing again - same error. Once the install is finisghed I get the same error if I try to run Malwarebytes.

I also didn't go on to the next step because I wasn't sure if I should since I couldn't run Malwarebytes.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 9/26/2009 11:26 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
That second step might actually show us some of why Malwarebytes is having problems, so yes, go ahead and do that now.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

krbam2
New Member


Date Joined Sep 2009
Total Posts : 24
 
   Posted 9/27/2009 2:21 AM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Here is the Junction log...

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com

Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

.
Failed to open \\?\c:\\Documents and Settings\Administrator.JILL\Desktop\HiJackThis.exe: Access is denied.

..
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
...
    
..
Failed to open \\?\c:\\WINDOWS\Prefetch\layout.ini: Access is denied.

.
    
...
    
...
    
...
    
...
    
No reparse points found.


Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 9/27/2009 4:25 AM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Just HijackThis.exe with permissions issues there. The rest of that log should be normal system functions. The last ComboFix log showed much of McAfee as running processes, so do whatever you can to get that disabled while doing these steps.

Right click My Computer, left click Explore, then navigate to the following file and right click - copy it:

C:\Program Files\Windows Resource Kits\Tools\SubInACL.exe

Then go to the C drive folder, and right click - paste. So you will then have a C:\SubInACL.exe.

Once you have done that open Notepad (Start - Run, type notepad then press Enter) and copy the following text into a new file:
cd\
subinacl /subdirectories %SystemDrive% /grant=everyone=f
subinacl /subdirectories %windir%\*.* /grant=everyone=f

Save the file to the desktop as "newperm.bat"

Make sure to use the quotes "" in the name.

Then double-click on newperm.bat. A window should open and you will see some procedures run --- this is normal. Once they have completed the changes the window should close.

-------------------

Click here and download Inherit.exe to your desktop.

Then left click and hold that HijackThis.exe file and drag it into the Inherit.exe file, and release. That will reset the file's permissions.

Again right click My Computer, left click Explore. If that opens full screen use the double-squares icon upper right corner of that display to reduce the size to make it easier to work there. Navigate to the following folder, and right click drag that Inherit.exe file to that, release and select Copy Here.

C:\Program Files\Malwarebytes' Anti-Malware <------

Then drag each of those Malwarebytes files into Inherit.exe like you did with HijackThis.exe.

Then try running Malwarebytes again please.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

krbam2
New Member


Date Joined Sep 2009
Total Posts : 24
 
   Posted 9/27/2009 5:37 AM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Running SubInAcl this time ran much longer. The red bar at top showed some 50000 files or so. There were 2 failures.

Using Inherit on Malwarebytes did not work - even though I got the message box saying "OK". Still get same vbalsgrid6.ocx error. I tried registering it and it failed, so I logged off and logged into safe mode as administrator and tried registering it. It said registration succeeded, but Malwarebytes will not run. Now I get Run-time error 0, followed by run-time error 440 : automation error. I uninstalled and reinstalled Malwarebytes. Same errors after re-install.
I did the uninstall and re-install as the Owner. Not in safe mode.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 9/27/2009 2:29 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Better we put off any more experiments with why Malwarebytes isn't working right now.

Click Scan in Gmer and run and post a new scan log with that please.

Then close Gmer, open it again, and right click in the white space in the display and select Options - Only non MS files. Then click Scan and allow Gmer to run a different scan. Once that completes click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

krbam2
New Member


Date Joined Sep 2009
Total Posts : 24
 
   Posted 9/27/2009 9:23 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Gmer scan #1...


GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-27 14:21:39
Windows 5.1.2600 Service Pack 3
Running: ftng38n7.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdypod.sys

---- Devices - GMER 1.0.15 ----
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                        mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                       mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                       mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                     mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
---- Registry - GMER 1.0.15 ----
Reg             HKLM\SOFTWARE\Classes\.cfxxe@                                                                   cfxxefile
Reg             HKLM\SOFTWARE\Classes\.mbam@                                                                    mbam.script
Reg             HKLM\SOFTWARE\Classes\cfxxefile\shell                                                          
Reg             HKLM\SOFTWARE\Classes\cfxxefile\shell\open                                                     
Reg             HKLM\SOFTWARE\Classes\cfxxefile\shell\open\command                                             
Reg             HKLM\SOFTWARE\Classes\cfxxefile\shell\open\command@                                             "%1" %*
Reg             HKLM\SOFTWARE\Classes\RealPlayer.AIFF.6@                                                        AIFF Clip
Reg             HKLM\SOFTWARE\Classes\RealPlayer.AIFF.6\DefaultIcon                                            
Reg             HKLM\SOFTWARE\Classes\RealPlayer.AIFF.6\DefaultIcon@                                            C:\Program Files\Real\RealPlayer\RealPlay.exe,0
Reg             HKLM\SOFTWARE\Classes\RealPlayer.AIFF.6\shell                                                  
Reg             HKLM\SOFTWARE\Classes\RealPlayer.AIFF.6\shell\open                                             
Reg             HKLM\SOFTWARE\Classes\RealPlayer.AIFF.6\shell\open\command                                     
Reg             HKLM\SOFTWARE\Classes\RealPlayer.AIFF.6\shell\open\command@                                     "C:\Program Files\Real\RealPlayer\RealPlay.exe" /m audio/aiff %1
Reg             HKLM\SOFTWARE\Classes\RealPlayer.WAV.6@                                                         WAV Clip
Reg             HKLM\SOFTWARE\Classes\RealPlayer.WAV.6\DefaultIcon                                             
Reg             HKLM\SOFTWARE\Classes\RealPlayer.WAV.6\DefaultIcon@                                             C:\Program Files\Real\RealPlayer\RealPlay.exe,0
Reg             HKLM\SOFTWARE\Classes\RealPlayer.WAV.6\shell                                                   
Reg             HKLM\SOFTWARE\Classes\RealPlayer.WAV.6\shell\open                                              
Reg             HKLM\SOFTWARE\Classes\RealPlayer.WAV.6\shell\open\command                                      
Reg             HKLM\SOFTWARE\Classes\RealPlayer.WAV.6\shell\open\command@                                      "C:\Program Files\Real\RealPlayer\RealPlay.exe" /m audio/wav %1
Reg             HKLM\SOFTWARE\Classes\SSubTimer6.CTimer@                                                        SSubTimer6.CTimer
Reg             HKLM\SOFTWARE\Classes\SSubTimer6.CTimer\Clsid                                                  
Reg             HKLM\SOFTWARE\Classes\SSubTimer6.CTimer\Clsid@                                                  {71A27034-C7D8-11D2-BEF8-525400DFB47A}
Reg             HKLM\SOFTWARE\Classes\SSubTimer6.GSubclass@                                                     SSubTimer6.GSubclass
Reg             HKLM\SOFTWARE\Classes\SSubTimer6.GSubclass\Clsid                                               
Reg             HKLM\SOFTWARE\Classes\SSubTimer6.GSubclass\Clsid@                                               {71A27032-C7D8-11D2-BEF8-525400DFB47A}
Reg             HKLM\SOFTWARE\Classes\SSubTimer6.ISubclass@                                                     SSubTimer6.ISubclass
Reg             HKLM\SOFTWARE\Classes\SSubTimer6.ISubclass\Clsid                                               
Reg             HKLM\SOFTWARE\Classes\SSubTimer6.ISubclass\Clsid@                                               {71A2702F-C7D8-11D2-BEF8-525400DFB47A}
Reg             HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridCell@                                            vbAcceleratorSGrid6.cGridCell
Reg             HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridCell\Clsid                                      
Reg             HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridCell\Clsid@                                      {9BD3A001-42A2-491E-AACA-9512F6CF4CDB}
Reg             HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridSortObject@                                      vbAcceleratorSGrid6.cGridSortObject
Reg             HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridSortObject\Clsid                                
Reg             HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridSortObject\Clsid@                                {D2129738-6A78-4BCB-915A-412982CAA23D}
Reg             HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw@                                   vbAcceleratorSGrid6.IGridCellOwnerDraw
Reg             HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid                             
Reg             HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid@                             {DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}
Reg             HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.vbalGrid@                                             vbAccelerator Grid Control
Reg             HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.vbalGrid\Clsid                                       
Reg             HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.vbalGrid\Clsid@                                       {C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}
---- Files - GMER 1.0.15 ----
ADS             C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0000034.sys:1  8704 bytes executable
ADS             C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0000043.sys:1  8704 bytes executable
ADS             C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0001043.sys:1  8704 bytes executable
ADS             C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0001047.sys:1  8704 bytes executable
ADS             C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0002047.sys:1  8704 bytes executable
ADS             C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0002051.sys:1  8704 bytes executable
ADS             C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0002073.sys:1  8704 bytes executable
ADS             C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0003073.sys:1  8704 bytes executable
ADS             C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0003144.sys:1  8704 bytes executable
ADS             C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0003215.sys:1  8704 bytes executable
ADS             C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0003286.sys:1  8704 bytes executable
ADS             C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0004286.sys:1  8704 bytes executable
ADS             C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0004357.sys:1  8704 bytes executable
---- EOF - GMER 1.0.15 ----
Back to Top
 

krbam2
New Member


Date Joined Sep 2009
Total Posts : 24
 
   Posted 9/27/2009 9:24 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Gmer scan #2
GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-27 10:28:33
Windows 5.1.2600 Service Pack 3
Running: ftng38n7.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdypod.sys

---- Modules - GMER 1.0.15 ----
Module   aliide.sys (ALi mini IDE Driver/Acer Laboratories Inc.)                                                                                                                                                  F89F9000-F89FB000 (8192 bytes)
Module   cmdide.sys (CMD PCI IDE Bus Driver/CMD Technology, Inc.)                                                                                                                                                 F89FB000-F89FD000 (8192 bytes)
Module   viaide.sys (Generic PCI IDE Bus Driver/Microsoft Corporation)                                                                                                                                            F89FF000-F8A01000 (8192 bytes)
Module   sparrow.sys (Adaptec AIC-6x60 series SCSI miniport/Adaptec, Inc.)                                                                                                                                        F8785000-F878A000 (20480 bytes)
Module   symc810.sys (Symbios Logic Inc. SCSI Miniport Driver/Symbios Logic Inc.)                                                                                                                                 F8911000-F8915000 (16384 bytes)
Module   asc.sys (AdvanSys SCSI Controller Driver/Advanced System Products, Inc.)                                                                                                                                 F878D000-F8794000 (28672 bytes)
Module   asc3550.sys (AdvanSys Ultra-Wide PCI SCSI Driver/Advanced System Products, Inc.)                                                                                                                         F891D000-F8921000 (16384 bytes)
Module   mraid35x.sys (MegaRAID RAID Controller Driver for Windows Whistler 32/American Megatrends Inc.)                                                                                                          F8795000-F879A000 (20480 bytes)
Module   symc8xx.sys (Symbios 8XX SCSI Miniport Driver/LSI Logic)                                                                                                                                                 F87A5000-F87AD000 (32768 bytes)
Module   sym_hi.sys (Symbios Hi-Perf SCSI Miniport Driver/LSI Logic)                                                                                                                                              F87AD000-F87B4000 (28672 bytes)
Module   sym_u3.sys (Symbios Ultra3 SCSI Miniport Driver/LSI Logic)                                                                                                                                               F87B5000-F87BD000 (32768 bytes)
Module   ultra.sys (Promise Ultra66 Miniport Driver/Promise Technology, Inc.)                                                                                                                                     F8565000-F856E000 (36864 bytes)
Module   ql1080.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation)                                                                                                                              F8575000-F857F000 (40960 bytes)
Module   ql1280.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation)                                                                                                                              F8585000-F8591000 (49152 bytes)
Module   ql12160.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation)                                                                                                                             F8595000-F85A1000 (49152 bytes)
Module   dac2w2k.sys (Mylex Disk Array Controller Driver/Mylex Corporation)                                                                                                                                       F8321000-F834D000 (180224 bytes)
Module   PxHelp20.sys (Px Engine Device Driver for Windows 2000/XP/Sonic Solutions)                                                                                                                               F85C5000-F85CE000 (36864 bytes)
Module   sisagp.sys (SiS NT AGP Filter/Silicon Integrated Systems Corporation)                                                                                                                                    F85D5000-F85DF000 (40960 bytes)
Module   amdagp.sys (AMD Win2000 AGP Filter/Advanced Micro Devices, Inc.)                                                                                                                                         F8635000-F8640000 (45056 bytes)
Module   \SystemRoot\system32\DRIVERS\ialmnt5.sys (Intel Graphics Miniport Driver/Intel Corporation)                                                                                                              F7744000-F77F9000 (741376 bytes)
Module   \SystemRoot\system32\DRIVERS\HDAudBus.sys (High Definition Audio Bus Driver v1.0a/Windows (R) Server 2003 DDK provider)                                                                                  F7708000-F7730000 (163840 bytes)
Module   \SystemRoot\system32\DRIVERS\HSFHWBS2.sys (HSF_HWB2 WDM driver/Conexant Systems, Inc.)                                                                                                                   F76AE000-F76E4000 (221184 bytes)
Module   \SystemRoot\system32\DRIVERS\HSF_DP.sys (HSF_DP driver/Conexant Systems, Inc.)                                                                                                                           F758C000-F768B000 (1044480 bytes)
Module   \SystemRoot\system32\DRIVERS\HSF_CNXT.sys (HSF_CNXT driver/Conexant Systems, Inc.)                                                                                                                       F74E4000-F758C000 (688128 bytes)
Module   \SystemRoot\system32\DRIVERS\e100b325.sys (Intel(R) PRO/100 Adapter NDIS 5.1 driver/Intel Corporation)                                                                                                   F74BE000-F74E4000 (155648 bytes)
Module   \SystemRoot\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.)                                                                                   F88D5000-F88DA000 (20480 bytes)
Module   \SystemRoot\system32\drivers\RtkHDAud.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.)                                                                                 AA484000-AA76F000 (3059712 bytes)
Module   \SystemRoot\system32\drivers\mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)                                                                                                                  F86F5000-F8701000 (49152 bytes)
Module   \??\C:\Program_Files\McAfee\VirusScan_Enterprise\mferkdk.sys (VSCore Code Analysis Driver/McAfee, Inc.)                                                                                                  F8815000-F881C000 (28672 bytes)
Module   \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys (SunkFilt/Alcor Micro Corp.)                                                                                                                                F8825000-F882C000 (28672 bytes)
Module   \SystemRoot\System32\ialmdnt5.dll (Controller Hub for Intel Graphics Driver/Intel Corporation)                                                                                                           BF020000-BF03E000 (122880 bytes)
Module   \SystemRoot\System32\ialmrnt5.dll (Controller Hub for Intel Graphics Driver/Intel Corporation)                                                                                                           BF012000-BF020000 (57344 bytes)
Module   \SystemRoot\System32\ialmdev5.DLL (Component GHAL Driver/Intel Corporation)                                                                                                                              BF03E000-BF064000 (155648 bytes)
Module   \SystemRoot\System32\ialmdd5.DLL (DirectDraw(R) Driver for Intel(R) Graphics Technology/Intel Corporation)                                                                                               BF064000-BF125000 (790528 bytes)
Module   \SystemRoot\System32\ATMFD.DLL (Windows NT OpenType/Type 1 Font Driver/Adobe Systems Incorporated)                                                                                                       BFFA0000-BFFE6000 (286720 bytes)
Module   \SystemRoot\system32\DRIVERS\mdmxsdk.sys (Diagnostic Interface DRIVER/Conexant)                                                                                                                          A90FC000-A90FF000 (12288 bytes)
Module   \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdypod.sys (GMER)                                                                                                                                                  A86EE000-A8703000 (86016 bytes)
---- Processes - GMER 1.0.15 ----
Process  C:\WINDOWS\SOUNDMAN.EXE (Realtek Sound Manager/Realtek Semiconductor Corp.)                                                                                                                              116
Library  C:\WINDOWS\SOUNDMAN.EXE (Realtek Sound Manager/Realtek Semiconductor Corp.)                                                                                                                              0x00400000
Process  C:\Program Files\McAfee\Common Framework\UdaterUI.exe (Common User Interface/McAfee, Inc.)                                                                                                               152
Library  C:\Program Files\McAfee\Common Framework\UdaterUI.exe (Common User Interface/McAfee, Inc.)                                                                                                               0x00400000
Library  C:\Program Files\McAfee\Common Framework\nailog2.dll (Debug Logging/McAfee, Inc.)                                                                                                                        0x643F0000
Library  C:\Program Files\McAfee\Common Framework\naCmnLib2_71.dll (Common Library/McAfee, Inc.)                                                                                                                  0x643A0000
Library  C:\Program Files\McAfee\Common Framework\naXML2_71.dll                                                                                                                                                   0x644A0000
Library  C:\Program Files\McAfee\Common Framework\applib.dll (CMA Application Library/McAfee, Inc.)                                                                                                               0x64070000
Library  C:\Program Files\McAfee\Common Framework\cmalib.dll (CMA Library/McAfee, Inc.)                                                                                                                           0x640B0000
Library  C:\Program Files\McAfee\Common Framework\0409\UpdRes.dll (Common UI Resources/McAfee, Inc.)                                                                                                              0x645E0000
Library  C:\Program Files\McAfee\Common Framework\0409\AgentRes.dll (Agent Subsystem Resources/McAfee, Inc.)                                                                                                      0x64050000
Library  C:\Program Files\McAfee\Common Framework\SecureFrameworkFactory.dll (Secure Framework Factory/McAfee, Inc.)                                                                                              0x64560000
Process  C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (VirusScan tray icon/McAfee, Inc.)                                                                                                               172
Library  C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (VirusScan tray icon/McAfee, Inc.)                                                                                                               0x00400000
Library  C:\Program Files\McAfee\VirusScan Enterprise\LockDown.dll (Provides self-protection functionality/McAfee, Inc.)                                                                                          0x140E0000
Library  C:\Program Files\McAfee\VirusScan Enterprise\ftcfg.dll (Filter Configuration Resource Library/McAfee, Inc.)                                                                                              0x153E0000
Library  C:\Program Files\McAfee\VirusScan Enterprise\mytilus2.dll (Common Shell2 - Scanners' interface to the 5000 series engine/McAfee, Inc.)                                                                   0x14220000
Library  C:\Program Files\McAfee\VirusScan Enterprise\mytilus.dll (Common Shell - Scanners' interface to the engine/McAfee, Inc.)                                                                                 0x14180000
Library  C:\Program Files\McAfee\VirusScan Enterprise\wmain.dll (Shared Library/McAfee, Inc.)                                                                                                                     0x161A0000
Library  C:\Program Files\McAfee\VirusScan Enterprise\shutil.dll (VirusScan Shared Utility Library/McAfee, Inc.)                                                                                                  0x15C80000
Library  C:\Program Files\McAfee\VirusScan Enterprise\RES0900\McShield.dll (Resources for McShield/McAfee, Inc.)                                                                                                  0x14100000
Library  C:\Program Files\McAfee\VirusScan Enterprise\Graphics.dll (VirusScan Graphics/McAfee, Inc.)                                                                                                              0x154A0000
Process  C:\WINDOWS\ALCFDRTM.EXE (ALCFDRTM/Realtek Semiconductor Corp.)                                                                                                                                           188
Library  C:\WINDOWS\ALCFDRTM.EXE (ALCFDRTM/Realtek Semiconductor Corp.)                                                                                                                                           0x00400000
Process  C:\WINDOWS\ALCWZRD.EXE (RealTek AlcWzrd Application/RealTek Semicoductor Corp.)                                                                                                                          196
Library  C:\WINDOWS\ALCWZRD.EXE (RealTek AlcWzrd Application/RealTek Semicoductor Corp.)                                                                                                                          0x00400000
Process  C:\Program Files\McAfee\Common Framework\McTray.exe (McAfee Security Agent Taskbar Extension/McAfee, Inc.)                                                                                               372
Library  C:\Program Files\McAfee\Common Framework\McTray.exe (McAfee Security Agent Taskbar Extension/McAfee, Inc.)                                                                                               0x00400000
Library  C:\Program Files\McAfee\Common Framework\JrMac.dll (McAfee Security Agent Taskbar Extension Library/McAfee, Inc.)                                                                                        0x66900000
Process  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (GoogleToolbarNotifier/Google Inc.)                                                                                              404
Library  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (GoogleToolbarNotifier/Google Inc.)                                                                                              0x00400000
Library  C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\gtn.dll (GoogleToolbarNotifier/Google Inc.)                                                                                                  0x10000000
Library  C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (GoogleToolbarNotifier/Google Inc.)                                                                                                  0x00C00000
Process  C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)                                                                                                          988
Library  C:\Program Files\Bonjour\mdnsNSP.dll (Bonjour Namespace Provider/Apple Inc.)                                                                                                                             0x16080000
Process  C:\Documents and Settings\Owner\Desktop\ftng38n7.exe                                                                                                                                                     1336
Library  C:\Documents and Settings\Owner\Desktop\ftng38n7.exe                                                                                                                                                     0x00400000
Process  C:\WINDOWS\Explorer.EXE (Windows Explorer/Microsoft Corporation)                                                                                                                                         1392
Library  C:\PROGRA~1\WINDOW~2\wmpband.dll (Windows Media Player Deskband/Microsoft Corporation)                                                                                                                   0x13420000
Library  C:\Program Files\McAfee\Common Framework\JrMac.dll (McAfee Security Agent Taskbar Extension Library/McAfee, Inc.)                                                                                        0x66900000
Library  C:\Program Files\McAfee\VirusScan Enterprise\shext.dll (Shell Extension/McAfee, Inc.)                                                                                                                    0x15C20000
Library  C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes' Anti-Malware/Malwarebytes Corporation)                                                                                            0x10000000
Library  C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (PDF Shell Extension/Adobe Systems, Inc.)                                                                                                        0x01930000
Process  C:\WINDOWS\system32\spoolsv.exe (Spooler SubSystem App/Microsoft Corporation)                                                                                                                            1476
Library  C:\WINDOWS\system32\CNMLM75.DLL (IJ Language Monitor/CANON INC.)                                                                                                                                         0x66F40000
Library  C:\WINDOWS\System32\spool\PRTPROCS\W32X86\CNMPD75.DLL (IJ Print Processor Dispatcher/CANON INC.)                                                                                                         0x00980000
Library  C:\WINDOWS\System32\spool\PRTPROCS\W32X86\filterpipelineprintproc.dll (Print Filter Pipeline Proxy/Microsoft Corporation)                                                                                0x3F420000
Library  C:\Program Files\Bonjour\mdnsNSP.dll (Bonjour Namespace Provider/Apple Inc.)                                                                                                                             0x16080000
Process  C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.)                                                                                                                                  1640
Library  C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.)                                                                                                                                  0x00400000
Process  C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)                                                                                                          1692
Library  C:\WINDOWS\System32\strmfilt.dll (Stream Filter Library/Microsoft Corporation)                                                                                                                           0x6F290000
Process  C:\Program Files\Java\jre6\bin\jqs.exe (Java(TM) Quick Starter Service/Sun Microsystems, Inc.)                                                                                                           1716
Library  C:\Program Files\Java\jre6\bin\jqs.exe (Java(TM) Quick Starter Service/Sun Microsystems, Inc.)                                                                                                           0x00400000
---- Services - GMER 1.0.15 ----
Service  C:\WINDOWS\system32\DRIVERS\aliide.sys (ALi mini IDE Driver/Acer Laboratories Inc.)                                                                                                                      [BOOT] AliIde
Service  C:\WINDOWS\system32\DRIVERS\amdagp.sys (AMD Win2000 AGP Filter/Advanced Micro Devices, Inc.)                                                                                                             [BOOT] amdagp
Service  C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Mobile Device Service/Apple Inc.)                                                                      [DISABLED] Apple Mobile Device
Service  C:\WINDOWS\system32\DRIVERS\asc.sys (AdvanSys SCSI Controller Driver/Advanced System Products, Inc.)                                                                                                     [BOOT] asc
Service  C:\WINDOWS\system32\DRIVERS\asc3550.sys (AdvanSys Ultra-Wide PCI SCSI Driver/Advanced System Products, Inc.)                                                                                             [BOOT] asc3550
Service  C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.)                                                                                                                                  [AUTO] Bonjour Service
Service  C:\ComboFix\catchme.sys                                                                                                                                                                                  [MANUAL] catchme
Service  C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD PCI IDE Bus Driver/CMD Technology, Inc.)                                                                                                                     [BOOT] CmdIde
Service  C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Disk Array Controller Driver/Mylex Corporation)                                                                                                           [BOOT] dac2w2k
Service  C:\WINDOWS\system32\DRIVERS\e100b325.sys (Intel(R) PRO/100 Adapter NDIS 5.1 driver/Intel Corporation)                                                                                                    [MANUAL] E100B
Service  C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys (CD DVD Filter/GEAR Software Inc.)                                                                                                                           [MANUAL] GEARAspiWDM
Service  C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (gusvc/Google)                                                                                                                    [MANUAL] gusvc
Service  C:\WINDOWS\system32\drivers\HdAudio.sys (High Definition Audio Function Driver v1.0a/Windows (R) Server 2003 DDK provider)                                                                               [MANUAL] HdAudAddService
Service  C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (High Definition Audio Bus Driver v1.0a/Windows (R) Server 2003 DDK provider)                                                                                   [MANUAL] HDAudBus
Service  C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys (HSF_HWB2 WDM driver/Conexant Systems, Inc.)                                                                                                                    [MANUAL] HSFHWBS2
Service  C:\WINDOWS\system32\DRIVERS\HSF_DP.sys (HSF_DP driver/Conexant Systems, Inc.)                                                                                                                            [MANUAL] HSF_DP
Service  C:\WINDOWS\system32\DRIVERS\ialmnt5.sys (Intel Graphics Miniport Driver/Intel Corporation)                                                                                                               [MANUAL] ialm
Service  C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (IDriverT Module/Macrovision Corporation)                                                                                    [MANUAL] IDriverT
Service   (Ahead MRW Filter Driver/Ahead Software AG)                                                                                                                                                             [SYSTEM] incdrm
Service  C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.)                                                                                  [MANUAL] IntcAzAudAddService
Service  C:\Program Files\iPod\bin\iPodService.exe (iPodService Module/Apple Inc.)                                                                                                                                [MANUAL] iPod Service
Service  C:\Program Files\Java\jre6\bin\jqs.exe (Java(TM) Quick Starter Service/Sun Microsystems, Inc.)                                                                                                           [AUTO] JavaQuickStarterService
Service  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE                                                                                                                                                               [MANUAL] LiveUpdate
Service  C:\Program Files\McAfee\Common Framework\FrameworkService.exe (Framework Service/McAfee, Inc.)                                                                                                           [MANUAL] McAfeeFramework
Service  C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe (On-Access Scanner service/McAfee, Inc.)                                                                                                       [MANUAL] McShield
Service  C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe (Task Manager/McAfee, Inc.)                                                                                                                    [MANUAL] McTaskManager
Service  C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Diagnostic Interface DRIVER/Conexant)                                                                                                                           [AUTO] mdmxsdk
Service  C:\WINDOWS\system32\drivers\mfeapfk.sys (Access Protection Filter Driver/McAfee, Inc.)                                                                                                                   [MANUAL] mfeapfk
Service  C:\WINDOWS\system32\drivers\mfeavfk.sys (Anti-Virus File System Filter Driver/McAfee, Inc.)                                                                                                              [MANUAL] mfeavfk
Service  C:\WINDOWS\system32\drivers\mfebopk.sys (Buffer Overflow Protection Driver/McAfee, Inc.)                                                                                                                 [MANUAL] mfebopk
Service  C:\WINDOWS\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)                                                                                                              [MANUAL] mfehidk
Service  C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys (VSCore Code Analysis Driver/McAfee, Inc.)                                                                                                      [SYSTEM] mferkdk
Service  C:\WINDOWS\system32\drivers\mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)                                                                                                                   [SYSTEM] mfetdik
Service  C:\WINDOWS\system32\DRIVERS\mraid35x.sys (MegaRAID RAID Controller Driver for Windows Whistler 32/American Megatrends Inc.)                                                                              [BOOT] mraid35x
Service  C:\WINDOWS\system32\DRIVERS\MRVW245.sys (NDIS 5.1 driver/Marvell Semiconductor, Inc)                                                                                                                     [MANUAL] MRVW245
Service                                                                                                                                                                                                           MSDTC Bridge 3.0.0.0
Service  C:\WINDOWS\system32\DRIVERS\mxnic.sys (Macronix MX987xx Family Fast Ethernet Adapter Window Driver                    /Macronix International Co., Ltd.                                               )  [MANUAL] mxnic
Service  C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 /NVIDIA Corporation)                                                                             [MANUAL] nv
Service  C:\Program                                                                                                                                                                                               [DISABLED] PrismXL
Service  C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.)                                                                                    [MANUAL] Ptilink
Service  C:\WINDOWS\System32\Drivers\PxHelp20.sys (Px Engine Device Driver for Windows 2000/XP/Sonic Solutions)                                                                                                   [BOOT] PxHelp20
Service  C:\WINDOWS\system32\DRIVERS\ql1080.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation)                                                                                                  [BOOT] ql1080
Service  C:\WINDOWS\system32\DRIVERS\ql12160.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation)                                                                                                 [BOOT] ql12160
Service  C:\WINDOWS\system32\DRIVERS\ql1280.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation)                                                                                                  [BOOT] ql1280
Service  C:\WINDOWS\system32\DRIVERS\rt2500usb.sys (Sample Driver for Ralink 802.11g Wireless USB Adapters/Ralink Technology Inc.)                                                                                [MANUAL] rt2500usb
Service  C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision SECURITY Driver/Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)                                            [MANUAL] Secdrv
Service                                                                                                                                                                                                           ServiceModelEndpoint 3.0.0.0
Service                                                                                                                                                                                                           ServiceModelOperation 3.0.0.0
Service                                                                                                                                                                                                           ServiceModelService 3.0.0.0
Service  C:\WINDOWS\system32\DRIVERS\sisagp.sys (SiS NT AGP Filter/Silicon Integrated Systems Corporation)                                                                                                        [BOOT] sisagp
Service                                                                                                                                                                                                           SMSvcHost 3.0.0.0
Service                                                                                                                                                                                                           SNMP
Service  C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec AIC-6x60 series SCSI miniport/Adaptec, Inc.)                                                                                                            [BOOT] Sparrow
Service  C:\WINDOWS\System32\Drivers\sunkfilt.sys (SunkFilt/Alcor Micro Corp.)                                                                                                                                    [MANUAL] SunkFilt
Service  C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc. SCSI Miniport Driver/Symbios Logic Inc.)                                                                                                     [BOOT] symc810
Service  C:\WINDOWS\system32\DRIVERS\symc8xx.sys (Symbios 8XX SCSI Miniport Driver/LSI Logic)                                                                                                                     [BOOT] symc8xx
Service  C:\WINDOWS\system32\DRIVERS\sym_hi.sys (Symbios Hi-Perf SCSI Miniport Driver/LSI Logic)                                                                                                                  [BOOT] sym_hi
Service  C:\WINDOWS\system32\DRIVERS\sym_u3.sys (Symbios Ultra3 SCSI Miniport Driver/LSI Logic)                                                                                                                   [BOOT] sym_u3
Service  C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Ultra66 Miniport Driver/Promise Technology, Inc.)                                                                                                         [BOOT] ultra
Service  C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple Mobile Device USB Driver/Apple, Inc.)                                                                                                                     [MANUAL] USBAAPL
Service  C:\WINDOWS\system32\DRIVERS\viaide.sys (Generic PCI IDE Bus Driver/Microsoft Corporation)                                                                                                                [BOOT] ViaIde
Service  C:\Program Files\Viewpoint\Common\ViewpointService.exe (ViewMgr/Viewpoint Corporation)                                                                                                                   [DISABLED] Viewpoint Manager Service
Service  system32\DRIVERS\wanatw4.sys                                                                                                                                                                             [MANUAL] wanatw
Service  C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys (HSF_CNXT driver/Conexant Systems, Inc.)                                                                                                                        [MANUAL] winachsf
Service                                                                                                                                                                                                           Windows Workflow Foundation 3.0.0.0
Service                                                                                                                                                                                                           Wmi
---- EOF - GMER 1.0.15 ----


Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 9/27/2009 10:17 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
Seeing the Gmer results I guess we will need to revisit issues with Malwarebytes. Looks like a registry key related to that is locked in some manner.


Open Notepad (Start - Run, type notepad then press Enter) and copy the following text into a new file:
cd\
subinacl /subkeyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Classes" /setowner=everyone

Save the file to the desktop as "againperm.bat"

Make sure to use the quotes "" in the name.

Then double-click on againperm.bat. A window should open and you will see some procedures run --- this is normal. Once they have completed the changes the window should close.

----------

Then try running Malwarebytes again please.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Post Edited (Jintan) : 27-09-2009 20:23:38 GMT

Back to Top
 

krbam2
New Member


Date Joined Sep 2009
Total Posts : 24
 
   Posted 9/27/2009 11:02 PM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
I ran it again. It ran OK I think - didn't take as long as last time.
Malwarebytes still will not run, same errors...Run-time 0 then run-time 440 Autoomation error.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 9/28/2009 1:57 AM (GMT +2)    Quote: Explorer.exe disabled, task manager disabled, access denied cleanup softwareAlert an admin about: Explorer.exe disabled, task manager disabled, access denied cleanup software
We will switch to a different installed scan there for now. I have not trialed the following recently, so admit my steps for it may not quite match it's current settings (if you would, let me know what you see as needing a change).


Click here and download the free version of SUPERAntiSpyware and install it.

After installation accept any prompts to allow SUPERAntiSpyware to install the latest infection definition files. Next follow the prompts to complete the installation. For now, uncheck the option to have SUPERAntiSpyware "Automatically check for program and definition updates". Providing an email address and allowing the software to send diagnostic reports to it's research center are up to you. Do NOT allow SUPERAntiSpyware to Protect your Home Page settings.

Once the installation is complete open SUPERAntiSpyware and press the Preferences button. Under the General and Startup tab, uncheck the following (leaving all other settings as is).

Start-up Options:
*Start SUPERAntiSpyware when Windows starts

Automatic Updates:
*Check for program updates when the application starts.
Start-up Scanning:
*Check for updates before scanning on startup.

Then select Close. Don't scan just yet though.


Also Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective. SUPERAntiSpyware tends to have logs full of cookie finds unless this is done.

-------------

Open SUPERAntiSpyware and click the Scan your Computer button. You may need to start SUPERAntiSpyware, then right click the Taskbar icon (the little bug shaped icon) and select "Scan for Spyware, Adware, Malware..." to access the scan panel. Making sure that Fixed Drive (NTFS) is checked (typically the C Drive), check "Perform Complete Scan", then click Next. SUPERAntiSpyware will now complete a system scan.


SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon).

Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here.


Run a new ComboFix scan, and post that and the SUPERAntiSpyware log please.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 
New Topic Post reply to : Explorer.exe disabled, task manager disabled, access denied cleanup software Printable version of : Explorer.exe disabled, task manager disabled, access denied cleanup software
43 posts in this thread.
Viewing Page :
 1  2 
 
Forum Information
Currently it is Thursday, December 18, 2014 4:30 AM (GMT +2)
There are a total of 60,822 posts in 13,360 threads.
In the last 3 days there were 0 new threads and 2 reply posts. View Active Threads
Who's Online
This forum has 36984 registered members. Please welcome our newest member, banciackand.
7 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Firewall blocking programs without warning/ BsFireTemp Folder (3)12/17/2014 9:18:56 PM (Gavio101)
Pc wont shut down if Bis is installed (4)12/15/2014 12:14:58 PM (Mike A)