Explorer.exe disabled, task manager disabled, access denied cleanup software

Posted 9/23/2009 1:23 PM
#77675
User avatar

krbam2 Valued member

Date Joined Nov 2016
Total Posts: 24
I was reading this thread <br/> <br/> <br/>http://forum.bullguard.com/forum/8/System-Restore-Disabled-Spybot_75774.html <br/> <br/> <br/> <br/>and was unable to follow it to the new thread that was started. <br/> <br/> <br/> <br/>I have exactly the same problem. I have a PC that I can only access in safe mode via the administrator account. I then get no desktop but I can get task manager via ctrl-alt-delete. Using the run command located on Task Manager, i have tried to clean this PC up. As was stated in the above post once any type of cleanup software is run it becomes unusable. Also the file and even the folder it is located in gets marked as read only. Unable to rename items or anything. What I have done is create new folders and put things in there to try and run them. I have taken the hard drive out and placed it in another computer as a secondary drive then I ran Mcafee. It found numerous trojans...vundo, generic.dx, and a few others - Mcafee cleaned what it was able. Once I had finished that I placed the drive back in the original computer - same behavior! I cannot log in any way except safe mode. A normal login gives just a garbled wallpaper with no icons, no start button. Ctrl-alt-del gives me 'Task Manager has been disabled by your Administrator" Have tried the accepted ways of re-enabling it. The DisableTaskManager registry key that is usually present causing this behavior is not there. <br/> <br/> <br/> <br/>I realize I am heading for a re-install but would SURE like to find out exactly has the PC so hosed. <br/> <br/> <br/> <br/>I appreciate any help - even just directing me to the follow-up thread of the above post <br/> <br/> <br/> <br/>thanks
Posted 9/23/2009 11:39 PM
#77678
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
Although we have spoken via PM here, I do welcome you to BullGuard forums krbam2. <br/> <br/> <br/>The situation there of course provides limited means of creating scan logs, so let's see if you can effect some changes, and post some logs from scans that may work for now. Most of my steps suggest download to the desktop, but unless I specifically say somewhere else you can do whatever it takes to gain access there. <br/> <br/> <br/>Open Notepad (Start, Run type notepad and select Enter) and copy/paste the following text (inside the Code box). <br/> <br/>[CODE][Version] <br/>Signature="$CHICAGO$" <br/> <br/>[DefaultInstall] <br/>DelReg=Del.Settings <br/> <br/>[Del.Settings] <br/>HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools <br/>HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr <br/>HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,NoFolderOptions[/CODE] <br/> <br/>Save this as correct.inf <br/> <br/>Where it says "Files of Type", select All Files and click on Save and save it to your desktop. Exit Notepad, Then right-click on correct.inf and select Install. This may return some Task Manager access, and can be re-used there if needed during repairs. <br/> <br/>----------------- <br/> <br/>Click here or here and download Win32kDiag.exe directly to your C drive folder, so it then is C:\Win32kDiag.exe. <br/> <br/> <br/>Go to Start - Run, type cmd (and press OK). At the prompt type or copy/paste the following, pressing Enter after: <br/> <br/>cd\ <br/>win32kdiag -r -f <br/> <br/>Once that completes press any key to finish the scan. Post the new Win32kDiag.txt log with your next reply (it should be located on the desktop). <br/> <br/>If you cannot do the command window run of that, see if you can just click the Win32kDiag.exe file and post that log. <br/> <br/>---------------------- <br/> <br/>Open Gmer again. This time just right click in the white space in the display and select Options - Only non MS files. Then click Scan and allow Gmer to run a different scan. Once that completes click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.
Posted 9/24/2009 2:29 AM
#77680
User avatar

krbam2 Valued member

Date Joined Nov 2016
Total Posts: 24
Thank you for the response. <br/>It is 9:30 PM here and the computer I am working on is at work. When I get there in the am I will follow the steps you have listed. I should them completed by 10 CST or so.
Posted 9/24/2009 3:31 AM
#77681
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
Hmmmm. I would ask right off why work's IT staff, or selected repairs service, is not effecting repairs on that system. "At work" suggests a computer owned by a business. Most of the specialty tools we use in these free help repairs are restricted to non-commercial use only by their authors. And so most often we refer business/agency repairs to those entities' own choice of repair solutions.
Posted 9/24/2009 1:12 PM
#77700
User avatar

krbam2 Valued member

Date Joined Nov 2016
Total Posts: 24
Well, the computer does not belong to work. It belongs to a friend's daughter. I just set them up here because I have the resources - like extra monitors and keyboards. Anyway - it is not work related or for commercial use.
Posted 9/24/2009 1:45 PM
#77701
User avatar

krbam2 Valued member

Date Joined Nov 2016
Total Posts: 24
OK. I followed your instructions. Very odd thing though, I placed the correct.inf file on the desktop and when I right clicked and chose install it ran combofix. I have tried combofix in the past couple days , but it never ran correctly - would always says "Combofix has detected rootkit activity and needs to reboot." Once I rebooted nothing happened and nothing had changed. Anyway - once it completed this time I went back and checked the file to make sure I hadn't clicked on the wrong thing by accident and I hadn't. The correct.inf was just as it was supposed to be and this time when I chose "install" it briefly popped up a cmd window that quickly closed. This is what I would have expected to happen before. <br/> <br/>Then I ran win32kdiag - here is the log file results. <br/>Running from: win32kdiag <br/> <br/>Log file at : C:\Documents and Settings\Administrator.JILL\Desktop\Win32kDiag.txt <br/> <br/>Removing all found mount points. <br/> <br/>Attempting to reset file permissions. <br/> <br/>WARNING: Could not get backup privileges! <br/> <br/>Searching 'C:\WINDOWS'... <br/> <br/>Cannot access: C:\WINDOWS\explorer.exe <br/> <br/>Attempting to restore permissions of : C:\WINDOWS\explorer.exe <br/> <br/>Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe <br/> <br/>Attempting to restore permissions of : C:\WINDOWS\system32\wbem\wmiprvse.exe <br/> <br/>Finished! <br/> <br/> <br/>NEXT bizarre thing. After running the above I saw that it was trying to restore permissions on explorer.exe (this has been nonfunctional since I started looking at the pc),so I tried running explorer from the run command and it started COMBOFIX again!!!!
Posted 9/24/2009 1:46 PM
#77702
User avatar

krbam2 Valued member

Date Joined Nov 2016
Total Posts: 24
Guess I posted too quickly....I closed the combofix window and after a bit I got the dialog window that states windows is running in safe mode. When I clicked OK I got desktop icons!! THIS is progress. :-)
Posted 9/24/2009 1:52 PM
#77703
User avatar

krbam2 Valued member

Date Joined Nov 2016
Total Posts: 24
Just thinking - could the running of combofix be due to it being in the "run once" reg key and only ran after the correct.inf made some change and then ran again once win32kdiag had restored permissions on explorer for the same reason??
Posted 9/25/2009 2:13 AM
#77709
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
ComboFix sets many shell commands, and a chance one of those did not complete, and remains there. Malware has been doing plenty of strange permissions and other alterations that also are unpredictable. Are you able to run ComboFix where it completes, and creates a C:\ComboFix.txt log to post here? Also try Gmer again please.
Posted 9/25/2009 12:57 PM
#77738
User avatar

krbam2 Valued member

Date Joined Nov 2016
Total Posts: 24
When I turned on the PC this am I still had a desktop, Yay! Combofix ran without issue. Here is the log <br/>ComboFix 09-09-21.03 - Administrator 09/25/2009 7:41.4.1 - NTFSx86 MINIMAL <br/>Running from: c:\my2\ComboFix.exe <br/>. <br/> <br/>((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) <br/>. <br/>. <br/>---- Previous Run ------- <br/>. <br/>c:\documents and settings\All Users\Application Data\ebucusuboz.exe <br/>c:\documents and settings\All Users\Documents\ohiwytan.sys <br/>c:\documents and settings\All Users\Documents\wuma.exe <br/>c:\program files\Common Files\cegisoral.exe <br/>c:\program files\Shared <br/>c:\program files\Shared\lib.sig <br/>c:\recycler\S-1-5-21-1481908157-2778090379-637194718-500 <br/>c:\windows\aceqage.inf <br/>c:\windows\ALCMTR.EXE <br/>c:\windows\efitumykuq._dl <br/>c:\windows\mark_32.dll <br/>c:\windows\qabywew.pif <br/>c:\windows\run.log <br/>c:\windows\system32\41.exe <br/>c:\windows\system32\aviz.exe <br/>c:\windows\system32\buyoziyi.exe <br/>c:\windows\system32\ecen.vbs <br/>c:\windows\system32\fikuyelu.exe <br/>c:\windows\system32\pihenedo.exe <br/>c:\windows\system32\ubujifid.pif <br/>c:\windows\system32\volizita.exe <br/> <br/>-- Previous Run -- <br/> <br/>c:\windows\system32\proquota.exe was missing <br/>Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe <br/> <br/>-------- <br/> <br/>. <br/>((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) <br/>. <br/> <br/>-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} <br/>-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} <br/> <br/> <br/>((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 ))))))))))))))))))))))))))))))) <br/>. <br/> <br/>2009-09-24 13:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe <br/>2009-09-24 13:17 . 2009-09-24 13:14 47616 ----a-w- C:\Win32kDiag.exe <br/>2009-09-23 13:50 . 2009-09-23 13:45 40 ----a-w- c:\windows\servcheck.bat <br/>2009-09-22 15:39 . 2009-09-22 15:50 -------- d-----w- C:\mtFix18950m <br/>2009-09-22 15:36 . 2009-09-22 15:38 -------- d-----w- C:\mtFix <br/>2009-09-22 15:34 . 2009-09-22 15:49 -------- d-----w- C:\my2 <br/>2009-09-22 15:16 . 2009-09-22 15:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard <br/>2009-09-22 15:10 . 2009-09-22 15:10 73488 ----a-w- c:\windows\system32\drivers\FILEM701.SYS <br/>2009-09-22 13:43 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys <br/>2009-09-22 13:43 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys <br/>2009-09-21 16:02 . 2009-09-21 16:02 -------- d-----w- c:\documents and settings\Administrator.JILL\Application Data\Malwarebytes <br/>2009-09-17 16:11 . 2009-09-17 16:11 19147 ----a-w- c:\windows\system32\ogavel.dat <br/>2009-09-17 16:11 . 2009-09-17 16:11 10615 ----a-w- c:\windows\axuwyraq.com <br/>2009-09-17 15:21 . 2009-09-17 15:21 13917 ----a-w- c:\program files\Common Files\okozyvy.dat <br/>2009-09-08 20:58 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll <br/> <br/>. <br/>(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) <br/>. <br/>2009-09-24 13:24 . 2005-08-22 00:51 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView <br/>2009-09-24 13:24 . 2005-08-12 00:38 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec <br/>2009-09-17 16:11 . 2009-09-17 16:11 14769 ----a-w- c:\program files\Common Files\ydedeher.lib <br/>2009-09-17 16:11 . 2009-09-17 16:11 10924 ----a-w- c:\program files\Common Files\galybyw.db <br/>2009-08-25 17:06 . 2009-08-25 17:06 -------- d-----w- c:\program files\MSBuild <br/>2009-08-25 17:06 . 2009-08-25 17:06 -------- d-----w- c:\program files\Reference Assemblies <br/>2009-08-10 22:11 . 2009-08-09 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS <br/>2009-08-10 22:11 . 2009-08-09 16:06 -------- d-----w- c:\program files\NOS <br/>2009-08-09 16:06 . 2009-08-09 16:06 -------- d-----w- c:\program files\Google <br/>2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll <br/>2009-07-17 19:01 . 2004-08-26 16:11 58880 ----a-w- c:\windows\system32\atl.dll <br/>2009-07-14 04:43 . 2004-08-26 16:12 286208 ----a-w- c:\windows\system32\wmpdxm.dll <br/>2009-06-29 16:12 . 2004-08-26 16:12 827392 ----a-w- c:\windows\system32\wininet.dll <br/>2009-06-29 16:12 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll <br/>2009-06-29 16:12 . 2004-08-26 16:11 17408 ----a-w- c:\windows\system32\corpol.dll <br/>. <br/> <br/>------- Sigcheck ------- <br/> <br/>[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll <br/>[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll <br/> <br/>c:\windows\system32\eventlog.dll ... is missing !! <br/>. <br/>((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) <br/>. <br/>. <br/>*Note* empty entries & legit default entries are not shown <br/>REGEDIT4 <br/> <br/>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] <br/>"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952] <br/>"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512] <br/>"AlcFDMonitor"="c:\windows\ALCFDRTM.EXE" [2006-12-27 73728] <br/>"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2005-05-12 90112] <br/>"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-05-12 2805248] <br/> <br/>[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] <br/>"NoSetActiveDesktop"= 1 (0x1) <br/> <br/>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] <br/>"EnableFirewall"= 0 (0x0) <br/> <br/>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] <br/>"%windir%\\system32\\sessmgr.exe"= <br/>"%windir%\\Network Diagnostic\\xpnetdiag.exe"= <br/>"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= <br/>"c:\\Program Files\\Bonjour\\mDNSResponder.exe"= <br/>"c:\\Program Files\\iTunes\\iTunes.exe"= <br/> <br/>R3 2508;2508;c:\windows\system32\2508.sys [x] <br/>R3 6e54;6e54;c:\windows\system32\6e54.sys [x] <br/>R3 7206;7206;c:\windows\system32\7206.sys [x] <br/>R3 7343;7343;c:\windows\system32\7343.sys [x] <br/>R3 9a87;9a87;c:\windows\system32\9a87.sys [x] <br/>R3 a612;a612;c:\windows\system32\a612.sys [x] <br/>R3 LSDND;LSDND;c:\docume~1\ADMINI~1.JIL\LOCALS~1\Temp\LSDND.exe [x] <br/>R3 UQXZWEBD;UQXZWEBD; [x] <br/>R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] <br/> <br/>. <br/>Contents of the 'Scheduled Tasks' folder <br/> <br/>2009-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job <br/>- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] <br/> <br/>2009-09-22 c:\windows\Tasks\RegCure Program Check.job <br/>- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58] <br/> <br/>2009-09-17 c:\windows\Tasks\RegCure.job <br/>- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58] <br/>. <br/>. <br/>------- Supplementary Scan ------- <br/>. <br/>uStart Page = hxxp://www.gateway.com/ <br/>mStart Page = hxxp://www.google.com <br/>DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab <br/>. <br/>- - - - ORPHANS REMOVED - - - - <br/> <br/>BHO-{fd360822-f0e5-4392-9d7a-d961a0e73d58} - perofile.dll <br/>HKLM-Run-yipavogora - wemetuvi.dll <br/>AddRemove-HijackThis - c:\documents and settings\Owner\Desktop\Cleanup\HijackThis.exe <br/>AddRemove-Malwarebytes' Anti-Malware_is1 - c:\mystuff\MalwarebytMalwar\unins000.exe <br/> <br/> <br/> <br/>************************************************************************** <br/> <br/>catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net <br/>Rootkit scan 2009-09-25 07:46 <br/>Windows 5.1.2600 Service Pack 3 NTFS <br/> <br/>scanning hidden processes ... <br/> <br/>scanning hidden autostart entries ... <br/> <br/>scanning hidden files ... <br/> <br/>scan completed successfully <br/>hidden files: 0 <br/> <br/>************************************************************************** <br/>. <br/>--------------------- LOCKED REGISTRY KEYS --------------------- <br/> <br/>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] <br/>@Denied: (A 2) (Everyone) <br/>@="FlashBroker" <br/>"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" <br/> <br/>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] <br/>"Enabled"=dword:00000001 <br/> <br/>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] <br/>@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" <br/> <br/>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] <br/>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" <br/> <br/>[HKEY_LOCAL_MACHINE\software\Classes\giffile\shell\Open\ddeexec] <br/>@DACL=(02 0000) <br/>@="\"file:%1\",,-1,,,,," <br/> <br/>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] <br/>@Denied: (A 2) (Everyone) <br/>@="IFlashBroker3" <br/> <br/>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] <br/>@="{00020424-0000-0000-C000-000000000046}" <br/> <br/>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] <br/>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" <br/>"Version"="1.0" <br/>. <br/>--------------------- DLLs Loaded Under Running Processes --------------------- <br/> <br/>- - - - - - - > 'explorer.exe'(1028) <br/>c:\windows\system32\WININET.dll <br/>. <br/>Completion time: 2009-09-25 7:48 <br/>ComboFix-quarantined-files.txt 2009-09-25 12:48 <br/>ComboFix2.txt 2009-09-21 19:31 <br/> <br/>Pre-Run: 59,518,050,304 bytes free <br/>Post-Run: 59,475,214,336 bytes free <br/> <br/>173 --- E O F --- 2009-09-15 17:06 <br/> <br/> <br/>I am now running Gmer
Posted 9/25/2009 1:01 PM
#77739
User avatar

krbam2 Valued member

Date Joined Nov 2016
Total Posts: 24
Gmer log... <br/> <br/>GMER 1.0.15.15087 - http://www.gmer.net <br/>Autostart scan 2009-09-25 08:00:03 <br/>Windows 5.1.2600 Service Pack 3 <br/> <br/> <br/>HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 <br/> <br/>HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe, <br/> <br/>HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>> <br/>dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll <br/>igfxcui@DLLName = igfxsrvc.dll <br/>WgaLogon@DLLName = WgaLogon.dll <br/> <br/>HKLM\SYSTEM\CurrentControlSet\Services\ >>> <br/>Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe" <br/>JavaQuickStarterService@ = "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" <br/>McAfeeFramework@ = "C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart <br/>McShield@ = "C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe" <br/>McTaskManager@ = "C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe" <br/>MDM@ = "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" <br/>ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys <br/>WMPNetworkSvc@ = "C:\Program Files\Windows Media Player\WMPNetwk.exe" <br/> <br/>HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>> <br/>@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE <br/>@ShStatEXE"C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE = "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE <br/>@McAfeeUpdaterUI"C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey = "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey <br/>@AlcWzrdALCWZRD.EXE = ALCWZRD.EXE <br/>@AlcFDMonitorC:\WINDOWS\ALCFDRTM.EXE = C:\WINDOWS\ALCFDRTM.EXE <br/>ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll <br/> <br/>HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>> <br/>@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/ <br/>@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll <br/>@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll <br/>@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) = <br/>@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll <br/>@{7F67036B-66F1-411A-AD85-759FB9C5B0DB} /*SampleView*/C:\WINDOWS\system32\ShellvRTF.dll = C:\WINDOWS\system32\ShellvRTF.dll <br/>@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/(null) = <br/>@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL <br/>@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL <br/>@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll <br/>@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll <br/>@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll <br/>@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll <br/>@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll <br/>@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll <br/>@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll <br/>@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL <br/>@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL <br/> <br/>HKLM\Software\Classes\*\shellex\ContextMenuHandlers\VirusScan@{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\McAfee\VirusScan Enterprise\shext.dll <br/> <br/>HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\VirusScan@{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\McAfee\VirusScan Enterprise\shext.dll <br/> <br/>HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\VirusScan@{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\McAfee\VirusScan Enterprise\shext.dll <br/> <br/>HKLM\Software\Microsoft\Internet Explorer\Main >>> <br/>@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157 <br/>@Start Pagehttp://www.google.com = http://www.google.com <br/> <br/>HKCU\Software\Microsoft\Internet Explorer\Main >>> <br/>@Start Pagehttp://www.gateway.com/ = http://www.gateway.com/ <br/>@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm <br/> <br/>HKLM\Software\Classes\PROTOCOLS\Handler\ >>> <br/>cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL <br/>dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll <br/>its@CLSID = C:\WINDOWS\system32\itss.dll <br/>mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll <br/>ms-its@CLSID = C:\WINDOWS\system32\itss.dll <br/>ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll <br/>mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL <br/>tv@CLSID = C:\WINDOWS\system32\msvidctl.dll <br/>wia@CLSID = C:\WINDOWS\system32\wiascr.dll <br/> <br/>HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll <br/> <br/>---- EOF - GMER 1.0.15 ----
Posted 9/25/2009 9:12 PM
#77752
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
Good, that put a solid dent in the malware there. I suspect much of what Gmer is picking up had to do with permissions changes there, so let's address that, then do more malware removal and repair. <br/> <br/> <br/>Disable all security software. <br/> <br/> <br/>Again Go to Start - Run, type cmd (and press OK). At the prompt type or copy/paste the following, pressing Enter after: <br/> <br/>cd\ <br/>win32kdiag -r -f <br/> <br/>Once that completes press any key to finish the scan. Post the new Win32kDiag.txt log with your next reply (it should be located on the desktop). <br/> <br/>------------------ <br/> <br/>Download subinacl.msi from here to your desktop, then click the file to start the installer. <br/> <br/>Accept any agreements, and when it suggests it install SubInACL.exe to it's "C:\Program Files\Windows Resource Kits\Tools\" folder, instead click Browse, and direct it to your C folder, so it will then be C:\SubInACL.exe. <br/> <br/> <br/>Once you have done that open Notepad (Start - Run, type notepad then press Enter) and copy the following text into a new file: <br/>[code]cd /d "%programfiles%\Windows Resource Kits\Tools" <br/>subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f <br/>subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f <br/>subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f <br/>subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f <br/>subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f[/code] <br/>Save the file to the desktop as "permdo.bat" <br/> <br/>Make sure to use the quotes "" in the name. <br/> <br/>Then double-click on permdo.bat. A window should open and you will see some procedures run --- this is normal. Once they have completed the changes the window should close. <br/> <br/>-------------- <br/> <br/>Some of what that did may make part of the next ComboFix steps redundant, but better to make sure there. Also looks like some of the random named drivers showing are left behind by a past Rootkit Revealer scan, but again better to make sure. <br/> <br/>Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it: <br/> <br/>[code]KillAll:: <br/>Driver:: <br/>2508 <br/>6e54 <br/>7206 <br/>7343 <br/>9a87 <br/>a612 <br/>LSDND <br/>UQXZWEBD <br/>File:: <br/>c:\windows\system32\ogavel.dat <br/>c:\windows\axuwyraq.com <br/>c:\program files\Common Files\okozyvy.dat <br/>c:\program files\Common Files\ydedeher.lib <br/>c:\program files\Common Files\galybyw.db <br/>Folder:: <br/>c:\docume~1\ADMINI~1.JIL\LOCALS~1\Temp <br/>FCopy:: <br/>c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\system32\eventlog.dll <br/>Reglock:: <br/>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] <br/>[HKEY_LOCAL_MACHINE\software\Classes\giffile\shell\Open\ddeexec] <br/>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] <br/>Registry:: <br/>[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] <br/>"NoSetActiveDesktop"=dword:00000000[/code] <br/> <br/>Save this to your desktop as CFScript.txt <br/> <br/> <br/>You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan. <br/> <br/>ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. <br/> <br/>A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. <br/> <br/>Post that log, as well as the Win32kDiag.txt log please.
Posted 9/25/2009 10:46 PM
#77760
User avatar

krbam2 Valued member

Date Joined Nov 2016
Total Posts: 24
Win32kdiag log.... <br/>Running from: win32kdiag <br/> <br/>Log file at : C:\Documents and Settings\Administrator.JILL\Desktop\Win32kDiag.txt <br/> <br/>Removing all found mount points. <br/> <br/>Attempting to reset file permissions. <br/> <br/>WARNING: Could not get backup privileges! <br/> <br/>Searching 'C:\WINDOWS'... <br/> <br/>Finished! <br/> <br/> <br/>Up until now I have been doing everything in Safe Mode because that was the only way to get anyt access. I logged in as Jill to install subinacl.msi as I could not do it in safe mode. <br/> <br/>I ran the permdo.bat - it ran VERY quick. Barely say the command window. <br/> <br/>ComboFix log using the CFScript file... <br/>ComboFix 09-09-21.03 - Owner 2009-09-25 17:28.5.1 - NTFSx86 <br/>Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe <br/>Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt <br/> * Created a new restore point <br/> <br/>FILE :: <br/>"c:\program files\Common Files\galybyw.db" <br/>"c:\program files\Common Files\okozyvy.dat" <br/>"c:\program files\Common Files\ydedeher.lib" <br/>"c:\windows\axuwyraq.com" <br/>"c:\windows\system32\ogavel.dat" <br/>. <br/> <br/>((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) <br/>. <br/> <br/>c:\docume~1\ADMINI~1.JIL\LOCALS~1\Temp <br/>c:\program files\Common Files\galybyw.db <br/>c:\program files\Common Files\okozyvy.dat <br/>c:\program files\Common Files\ydedeher.lib <br/>c:\windows\axuwyraq.com <br/>c:\windows\system32\ogavel.dat <br/> <br/>. <br/>--------------- FCopy --------------- <br/> <br/>c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll <br/>. <br/>((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) <br/>. <br/> <br/>-------\Legacy_2508 <br/>-------\Legacy_6E54 <br/>-------\Legacy_7206 <br/>-------\Legacy_7343 <br/>-------\Legacy_9A87 <br/>-------\Legacy_A612 <br/>-------\Legacy_LSDND <br/>-------\Legacy_UQXZWEBD <br/>-------\Service_2508 <br/>-------\Service_6e54 <br/>-------\Service_7206 <br/>-------\Service_7343 <br/>-------\Service_9a87 <br/>-------\Service_a612 <br/>-------\Service_LSDND <br/>-------\Service_UQXZWEBD <br/> <br/> <br/>((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 ))))))))))))))))))))))))))))))) <br/>. <br/> <br/>2009-09-25 22:28 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll <br/>2009-09-25 22:28 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll <br/>2009-09-24 13:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe <br/>2009-09-24 13:17 . 2009-09-24 13:14 47616 ----a-w- C:\Win32kDiag.exe <br/>2009-09-23 13:50 . 2009-09-23 13:45 40 ----a-w- c:\windows\servcheck.bat <br/>2009-09-22 15:39 . 2009-09-22 15:50 -------- d-----w- C:\mtFix18950m <br/>2009-09-22 15:36 . 2009-09-22 15:38 -------- d-----w- C:\mtFix <br/>2009-09-22 15:34 . 2009-09-22 15:49 -------- d-----w- C:\my2 <br/>2009-09-22 15:16 . 2009-09-22 15:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard <br/>2009-09-22 15:10 . 2009-09-22 15:10 73488 ----a-w- c:\windows\system32\drivers\FILEM701.SYS <br/>2009-09-22 13:43 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys <br/>2009-09-22 13:43 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys <br/>2009-09-21 16:02 . 2009-09-21 16:02 -------- d-----w- c:\documents and settings\Administrator.JILL\Application Data\Malwarebytes <br/>2009-09-08 20:58 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll <br/> <br/>. <br/>(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) <br/>. <br/>2009-09-24 13:24 . 2005-08-22 00:51 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView <br/>2009-09-24 13:24 . 2005-08-12 00:38 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec <br/>2009-08-25 17:06 . 2009-08-25 17:06 -------- d-----w- c:\program files\MSBuild <br/>2009-08-25 17:06 . 2009-08-25 17:06 -------- d-----w- c:\program files\Reference Assemblies <br/>2009-08-10 22:11 . 2009-08-09 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS <br/>2009-08-10 22:11 . 2009-08-09 16:06 -------- d-----w- c:\program files\NOS <br/>2009-08-09 16:06 . 2009-08-09 16:06 -------- d-----w- c:\program files\Google <br/>2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll <br/>2009-07-17 19:01 . 2004-08-26 16:11 58880 ----a-w- c:\windows\system32\atl.dll <br/>2009-07-14 04:43 . 2004-08-26 16:12 286208 ----a-w- c:\windows\system32\wmpdxm.dll <br/>2009-06-29 16:12 . 2004-08-26 16:12 827392 ------w- c:\windows\system32\wininet.dll <br/>2009-06-29 16:12 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll <br/>2009-06-29 16:12 . 2004-08-26 16:11 17408 ----a-w- c:\windows\system32\corpol.dll <br/>. <br/> <br/>((((((((((((((((((((((((((((( SnapShot@2009-09-25_12.46.33 ))))))))))))))))))))))))))))))))))))))))) <br/>. <br/>+ 2009-09-25 22:18 . 2009-09-25 22:18 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat <br/>+ 2009-09-25 22:33 . 2009-09-25 22:33 16384 c:\windows\temp\Perflib_Perfdata_774.dat <br/>+ 2009-09-25 22:18 . 2009-09-25 22:18 16384 c:\windows\temp\History\History.IE5\index.dat <br/>+ 2009-09-25 22:18 . 2009-09-25 22:18 16384 c:\windows\temp\Cookies\index.dat <br/>+ 2009-09-25 22:21 . 2009-09-25 22:21 279040 c:\windows\Installer\2e60e.msi <br/>. <br/>((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) <br/>. <br/>. <br/>*Note* empty entries & legit default entries are not shown <br/>REGEDIT4 <br/> <br/>[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] <br/>"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] <br/>"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-09 39408] <br/> <br/>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] <br/>"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952] <br/>"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512] <br/>"AlcFDMonitor"="c:\windows\ALCFDRTM.EXE" [2006-12-27 73728] <br/>"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2005-05-12 90112] <br/>"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-05-12 2805248] <br/> <br/>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] <br/>"EnableFirewall"= 0 (0x0) <br/> <br/>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] <br/>"%windir%\\system32\\sessmgr.exe"= <br/>"%windir%\\Network Diagnostic\\xpnetdiag.exe"= <br/>"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= <br/>"c:\\Program Files\\Bonjour\\mDNSResponder.exe"= <br/>"c:\\Program Files\\iTunes\\iTunes.exe"= <br/> <br/>R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] <br/> <br/>. <br/>Contents of the 'Scheduled Tasks' folder <br/> <br/>2009-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job <br/>- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] <br/> <br/>2009-09-25 c:\windows\Tasks\RegCure Program Check.job <br/>- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58] <br/> <br/>2009-09-17 c:\windows\Tasks\RegCure.job <br/>- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58] <br/>. <br/>. <br/>------- Supplementary Scan ------- <br/>. <br/>uStart Page = hxxp://www.google.com <br/>mStart Page = hxxp://www.google.com <br/>uInternet Settings,ProxyOverride = *.local <br/>IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 <br/>IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html <br/>IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html <br/>IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html <br/>IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html <br/>Trusted Zone: myspace.com\www <br/>DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab <br/>. <br/> <br/>************************************************************************** <br/> <br/>catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net <br/>Rootkit scan 2009-09-25 17:34 <br/>Windows 5.1.2600 Service Pack 3 NTFS <br/> <br/>scanning hidden processes ... <br/> <br/>scanning hidden autostart entries ... <br/> <br/>scanning hidden files ... <br/> <br/>scan completed successfully <br/>hidden files: 0 <br/> <br/>************************************************************************** <br/>. <br/>--------------------- DLLs Loaded Under Running Processes --------------------- <br/> <br/>- - - - - - - > 'explorer.exe'(1352) <br/>c:\windows\system32\WININET.dll <br/>c:\progra~1\WINDOW~2\wmpband.dll <br/>c:\windows\system32\ieframe.dll <br/>c:\windows\system32\WPDShServiceObj.dll <br/>c:\windows\system32\PortableDeviceTypes.dll <br/>c:\windows\system32\PortableDeviceApi.dll <br/>. <br/>------------------------ Other Running Processes ------------------------ <br/>. <br/>c:\program files\Bonjour\mDNSResponder.exe <br/>c:\program files\Java\jre6\bin\jqs.exe <br/>c:\program files\McAfee\Common Framework\FrameworkService.exe <br/>c:\program files\McAfee\VirusScan Enterprise\mcshield.exe <br/>c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe <br/>c:\program files\McAfee\Common Framework\naPrdMgr.exe <br/>c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe <br/>c:\program files\Windows Media Player\wmpnetwk.exe <br/>c:\windows\system32\wscntfy.exe <br/>c:\program files\McAfee\Common Framework\Mctray.exe <br/>. <br/>************************************************************************** <br/>. <br/>Completion time: 2009-09-25 17:39 - machine was rebooted <br/>ComboFix-quarantined-files.txt 2009-09-25 22:39 <br/>ComboFix2.txt 2009-09-25 12:48 <br/>ComboFix3.txt 2009-09-21 19:31 <br/> <br/>Pre-Run: 58,947,788,800 bytes free <br/>Post-Run: 58,986,528,768 bytes free <br/> <br/>169 --- E O F --- 2009-09-15 17:06 <br/> <br/>I think I got all the instructions follwed. :-)
Posted 9/26/2009 11:53 AM
#77778
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
Looking much improved. That SubInACL procedure would not have run that quickly, so some part of that failed to work right. <br/> <br/> <br/>Since you have it, open and update Malwarebytes. <br/> <br/> * If an update is found, it will download and install the latest version. <br/> * Once the program has loaded, select "Perform quick scan", then click Scan. <br/> * The scan may take some time to finish,so please be patient. <br/> * When the scan is complete, click OK, then Show Results to view the results. <br/> * Make sure that everything is checked, and click Remove Selected. <br/> * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. <br/> * The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes. <br/> * Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then. <br/> <br/>------- <br/> <br/>Download MS Sysinternal's Junction.zip from here to your desktop, then unzip that. Then in that folder locate the Junction.exe file, and place a copy of that directly on your desktop. <br/> <br/>Go to Start - Run, and copy/paste the following command line, and then press OK: <br/> <br/>cmd /c "%userprofile%\desktop\junction.exe" -s c:\ >log.txt&log.txt <br/> <br/>Once you have accepted the agreement a command window will open. When the scan complete a log.txt will open in Notepad. Paste those contents back here please. This will also be saved as "log.txt" in your current user's folder (example - C:\Documents and Settings\yourusername). <br/> <br/>Post those two logs please.
Posted 9/26/2009 3:49 PM
#77781
User avatar

krbam2 Valued member

Date Joined Nov 2016
Total Posts: 24
Malwarebytes will not install. It runs through the installation then I get this message <br/> <br/>Run-time error 339 <br/>Component vbalsgrid6.ocx or one of its dependencies is not correctly registered. <br/> <br/>I have googled the error and found something saying I needed to download and install vbrun60sp6.exe <br/>I downloaded it but did not install because I do not want to do anything to hose up what we are doing with the pc. <br/> <br/>I HAVE tried uninstalling Malwarebytes and rebooting then installing again - same error. Once the install is finisghed I get the same error if I try to run Malwarebytes. <br/> <br/>I also didn't go on to the next step because I wasn't sure if I should since I couldn't run Malwarebytes.
Posted 9/26/2009 9:26 PM
#77783
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
That second step might actually show us some of why Malwarebytes is having problems, so yes, go ahead and do that now.
Posted 9/27/2009 12:21 AM
#77784
User avatar

krbam2 Valued member

Date Joined Nov 2016
Total Posts: 24
Here is the Junction log... <br/> <br/> <br/>Junction v1.05 - Windows junction creator and reparse point viewer <br/>Copyright (C) 2000-2007 Mark Russinovich <br/>Systems Internals - http://www.sysinternals.com <br/> <br/> <br/>Failed to open <a target="_blank" href="file://\\?\c:\\hiberfil.sys">\\?\c:\\hiberfil.sys</A>: The process cannot access the file because it is being used by another process. <br/> <br/><br /><br /> <br/>Failed to open <a target="_blank" href="file://\\?\c:\\pagefile.sys">\\?\c:\\pagefile.sys</A>: The process cannot access the file because it is being used by another process. <br/> <br/> <br/>. <br/>Failed to open <a target="_blank" href="file://\\?\c:\\Documents">\\?\c:\\Documents</A> and Settings\Administrator.JILL\Desktop\HiJackThis.exe: Access is denied. <br/> <br/> <br/>.. <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>.. <br/>Failed to open <a target="_blank" href="file://\\?\c:\\WINDOWS\Prefetch\layout.ini">\\?\c:\\WINDOWS\Prefetch\layout.ini</A>: Access is denied. <br/> <br/> <br/>. <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>... <br/> <br/>No reparse points found. <br/> <br/><br /><br />
Posted 9/27/2009 2:25 AM
#77787
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
Just HijackThis.exe with permissions issues there. The rest of that log should be normal system functions. The last ComboFix log showed much of McAfee as running processes, so do whatever you can to get that disabled while doing these steps. <br/> <br/>Right click My Computer, left click Explore, then navigate to the following file and right click - copy it: <br/> <br/>C:\Program Files\Windows Resource Kits\Tools\SubInACL.exe <br/> <br/>Then go to the C drive folder, and right click - paste. So you will then have a C:\SubInACL.exe. <br/> <br/>Once you have done that open Notepad (Start - Run, type notepad then press Enter) and copy the following text into a new file: <br/>[code]cd\ <br/>subinacl /subdirectories %SystemDrive% /grant=everyone=f <br/>subinacl /subdirectories %windir%\*.* /grant=everyone=f[/code] <br/>Save the file to the desktop as "newperm.bat" <br/> <br/>Make sure to use the quotes "" in the name. <br/> <br/>Then double-click on newperm.bat. A window should open and you will see some procedures run --- this is normal. Once they have completed the changes the window should close. <br/> <br/>------------------- <br/> <br/>Click [URL="http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe"]here[/URL] and download Inherit.exe to your desktop. <br/> <br/>Then left click and hold that HijackThis.exe file and drag it into the Inherit.exe file, and release. That will reset the file's permissions. <br/> <br/>Again right click My Computer, left click Explore. If that opens full screen use the double-squares icon upper right corner of that display to reduce the size to make it easier to work there. Navigate to the following folder, and right click drag that Inherit.exe file to that, release and select Copy Here. <br/> <br/>C:\Program Files\Malwarebytes' Anti-Malware <------ <br/> <br/>Then drag each of those Malwarebytes files into Inherit.exe like you did with HijackThis.exe. <br/> <br/>Then try running Malwarebytes again please.
Posted 9/27/2009 3:37 AM
#77790
User avatar

krbam2 Valued member

Date Joined Nov 2016
Total Posts: 24
Running SubInAcl this time ran much longer. The red bar at top showed some 50000 files or so. There were 2 failures. <br/> <br/>Using Inherit on Malwarebytes did not work - even though I got the message box saying "OK". Still get same vbalsgrid6.ocx error. I tried registering it and it failed, so I logged off and logged into safe mode as administrator and tried registering it. It said registration succeeded, but Malwarebytes will not run. Now I get Run-time error 0, followed by run-time error 440 : automation error. I uninstalled and reinstalled Malwarebytes. Same errors after re-install. <br/>I did the uninstall and re-install as the Owner. Not in safe mode.
Posted 9/27/2009 12:29 PM
#77794
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
Better we put off any more experiments with why Malwarebytes isn't working right now. <br/> <br/>Click Scan in Gmer and run and post a new scan log with that please. <br/> <br/>Then close Gmer, open it again, and right click in the white space in the display and select Options - Only non MS files. Then click Scan and allow Gmer to run a different scan. Once that completes click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.
Posted 9/27/2009 7:23 PM
#77800
User avatar

krbam2 Valued member

Date Joined Nov 2016
Total Posts: 24
Gmer scan #1... <br/> <br/><br /><br /> <br/>GMER 1.0.15.15087 - http://www.gmer.net <br/>Rootkit scan 2009-09-27 14:21:39 <br/>Windows 5.1.2600 Service Pack 3 <br/>Running: ftng38n7.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdypod.sys <br/> <br/> <br/>---- Devices - GMER 1.0.15 ---- <br/> <br/>AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) <br/>AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) <br/>AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) <br/>AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) <br/> <br/>---- Registry - GMER 1.0.15 ---- <br/> <br/>Reg HKLM\SOFTWARE\Classes\.cfxxe@ cfxxefile <br/>Reg HKLM\SOFTWARE\Classes\.mbam@ mbam.script <br/>Reg HKLM\SOFTWARE\Classes\cfxxefile\shell <br/>Reg HKLM\SOFTWARE\Classes\cfxxefile\shell\open <br/>Reg HKLM\SOFTWARE\Classes\cfxxefile\shell\open\command <br/>Reg HKLM\SOFTWARE\Classes\cfxxefile\shell\open\command@ "%1" %* <br/>Reg HKLM\SOFTWARE\Classes\RealPlayer.AIFF.6@ AIFF Clip <br/>Reg HKLM\SOFTWARE\Classes\RealPlayer.AIFF.6\DefaultIcon <br/>Reg HKLM\SOFTWARE\Classes\RealPlayer.AIFF.6\DefaultIcon@ C:\Program Files\Real\RealPlayer\RealPlay.exe,0 <br/>Reg HKLM\SOFTWARE\Classes\RealPlayer.AIFF.6\shell <br/>Reg HKLM\SOFTWARE\Classes\RealPlayer.AIFF.6\shell\open <br/>Reg HKLM\SOFTWARE\Classes\RealPlayer.AIFF.6\shell\open\command <br/>Reg HKLM\SOFTWARE\Classes\RealPlayer.AIFF.6\shell\open\command@ "C:\Program Files\Real\RealPlayer\RealPlay.exe" /m audio/aiff %1 <br/>Reg HKLM\SOFTWARE\Classes\RealPlayer.WAV.6@ WAV Clip <br/>Reg HKLM\SOFTWARE\Classes\RealPlayer.WAV.6\DefaultIcon <br/>Reg HKLM\SOFTWARE\Classes\RealPlayer.WAV.6\DefaultIcon@ C:\Program Files\Real\RealPlayer\RealPlay.exe,0 <br/>Reg HKLM\SOFTWARE\Classes\RealPlayer.WAV.6\shell <br/>Reg HKLM\SOFTWARE\Classes\RealPlayer.WAV.6\shell\open <br/>Reg HKLM\SOFTWARE\Classes\RealPlayer.WAV.6\shell\open\command <br/>Reg HKLM\SOFTWARE\Classes\RealPlayer.WAV.6\shell\open\command@ "C:\Program Files\Real\RealPlayer\RealPlay.exe" /m audio/wav %1 <br/>Reg HKLM\SOFTWARE\Classes\SSubTimer6.CTimer@ SSubTimer6.CTimer <br/>Reg HKLM\SOFTWARE\Classes\SSubTimer6.CTimer\Clsid <br/>Reg HKLM\SOFTWARE\Classes\SSubTimer6.CTimer\Clsid@ {71A27034-C7D8-11D2-BEF8-525400DFB47A} <br/>Reg HKLM\SOFTWARE\Classes\SSubTimer6.GSubclass@ SSubTimer6.GSubclass <br/>Reg HKLM\SOFTWARE\Classes\SSubTimer6.GSubclass\Clsid <br/>Reg HKLM\SOFTWARE\Classes\SSubTimer6.GSubclass\Clsid@ {71A27032-C7D8-11D2-BEF8-525400DFB47A} <br/>Reg HKLM\SOFTWARE\Classes\SSubTimer6.ISubclass@ SSubTimer6.ISubclass <br/>Reg HKLM\SOFTWARE\Classes\SSubTimer6.ISubclass\Clsid <br/>Reg HKLM\SOFTWARE\Classes\SSubTimer6.ISubclass\Clsid@ {71A2702F-C7D8-11D2-BEF8-525400DFB47A} <br/>Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridCell@ vbAcceleratorSGrid6.cGridCell <br/>Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridCell\Clsid <br/>Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridCell\Clsid@ {9BD3A001-42A2-491E-AACA-9512F6CF4CDB} <br/>Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridSortObject@ vbAcceleratorSGrid6.cGridSortObject <br/>Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridSortObject\Clsid <br/>Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridSortObject\Clsid@ {D2129738-6A78-4BCB-915A-412982CAA23D} <br/>Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw@ vbAcceleratorSGrid6.IGridCellOwnerDraw <br/>Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid <br/>Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid@ {DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD} <br/>Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.vbalGrid@ vbAccelerator Grid Control <br/>Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.vbalGrid\Clsid <br/>Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.vbalGrid\Clsid@ {C5DA1F2B-B2BF-4DFC-BC9A-439133543A67} <br/> <br/>---- Files - GMER 1.0.15 ---- <br/> <br/>ADS C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0000034.sys:1 8704 bytes executable <br/>ADS C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0000043.sys:1 8704 bytes executable <br/>ADS C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0001043.sys:1 8704 bytes executable <br/>ADS C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0001047.sys:1 8704 bytes executable <br/>ADS C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0002047.sys:1 8704 bytes executable <br/>ADS C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0002051.sys:1 8704 bytes executable <br/>ADS C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0002073.sys:1 8704 bytes executable <br/>ADS C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0003073.sys:1 8704 bytes executable <br/>ADS C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0003144.sys:1 8704 bytes executable <br/>ADS C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0003215.sys:1 8704 bytes executable <br/>ADS C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0003286.sys:1 8704 bytes executable <br/>ADS C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0004286.sys:1 8704 bytes executable <br/>ADS C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0004357.sys:1 8704 bytes executable <br/> <br/>---- EOF - GMER 1.0.15 ----
Posted 9/27/2009 7:24 PM
#77801
User avatar

krbam2 Valued member

Date Joined Nov 2016
Total Posts: 24
Gmer scan #2 <br/> <br/>GMER 1.0.15.15087 - http://www.gmer.net <br/>Rootkit scan 2009-09-27 10:28:33 <br/>Windows 5.1.2600 Service Pack 3 <br/>Running: ftng38n7.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdypod.sys <br/> <br/> <br/>---- Modules - GMER 1.0.15 ---- <br/> <br/>Module aliide.sys (ALi mini IDE Driver/Acer Laboratories Inc.) F89F9000-F89FB000 (8192 bytes) <br/>Module cmdide.sys (CMD PCI IDE Bus Driver/CMD Technology, Inc.) F89FB000-F89FD000 (8192 bytes) <br/>Module viaide.sys (Generic PCI IDE Bus Driver/Microsoft Corporation) F89FF000-F8A01000 (8192 bytes) <br/>Module sparrow.sys (Adaptec AIC-6x60 series SCSI miniport/Adaptec, Inc.) F8785000-F878A000 (20480 bytes) <br/>Module symc810.sys (Symbios Logic Inc. SCSI Miniport Driver/Symbios Logic Inc.) F8911000-F8915000 (16384 bytes) <br/>Module asc.sys (AdvanSys SCSI Controller Driver/Advanced System Products, Inc.) F878D000-F8794000 (28672 bytes) <br/>Module asc3550.sys (AdvanSys Ultra-Wide PCI SCSI Driver/Advanced System Products, Inc.) F891D000-F8921000 (16384 bytes) <br/>Module mraid35x.sys (MegaRAID RAID Controller Driver for Windows Whistler 32/American Megatrends Inc.) F8795000-F879A000 (20480 bytes) <br/>Module symc8xx.sys (Symbios 8XX SCSI Miniport Driver/LSI Logic) F87A5000-F87AD000 (32768 bytes) <br/>Module sym_hi.sys (Symbios Hi-Perf SCSI Miniport Driver/LSI Logic) F87AD000-F87B4000 (28672 bytes) <br/>Module sym_u3.sys (Symbios Ultra3 SCSI Miniport Driver/LSI Logic) F87B5000-F87BD000 (32768 bytes) <br/>Module ultra.sys (Promise Ultra66 Miniport Driver/Promise Technology, Inc.) F8565000-F856E000 (36864 bytes) <br/>Module ql1080.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation) F8575000-F857F000 (40960 bytes) <br/>Module ql1280.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation) F8585000-F8591000 (49152 bytes) <br/>Module ql12160.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation) F8595000-F85A1000 (49152 bytes) <br/>Module dac2w2k.sys (Mylex Disk Array Controller Driver/Mylex Corporation) F8321000-F834D000 (180224 bytes) <br/>Module PxHelp20.sys (Px Engine Device Driver for Windows 2000/XP/Sonic Solutions) F85C5000-F85CE000 (36864 bytes) <br/>Module sisagp.sys (SiS NT AGP Filter/Silicon Integrated Systems Corporation) F85D5000-F85DF000 (40960 bytes) <br/>Module amdagp.sys (AMD Win2000 AGP Filter/Advanced Micro Devices, Inc.) F8635000-F8640000 (45056 bytes) <br/>Module \SystemRoot\system32\DRIVERS\ialmnt5.sys (Intel Graphics Miniport Driver/Intel Corporation) F7744000-F77F9000 (741376 bytes) <br/>Module \SystemRoot\system32\DRIVERS\HDAudBus.sys (High Definition Audio Bus Driver v1.0a/Windows (R) Server 2003 DDK provider) F7708000-F7730000 (163840 bytes) <br/>Module \SystemRoot\system32\DRIVERS\HSFHWBS2.sys (HSF_HWB2 WDM driver/Conexant Systems, Inc.) F76AE000-F76E4000 (221184 bytes) <br/>Module \SystemRoot\system32\DRIVERS\HSF_DP.sys (HSF_DP driver/Conexant Systems, Inc.) F758C000-F768B000 (1044480 bytes) <br/>Module \SystemRoot\system32\DRIVERS\HSF_CNXT.sys (HSF_CNXT driver/Conexant Systems, Inc.) F74E4000-F758C000 (688128 bytes) <br/>Module \SystemRoot\system32\DRIVERS\e100b325.sys (Intel(R) PRO/100 Adapter NDIS 5.1 driver/Intel Corporation) F74BE000-F74E4000 (155648 bytes) <br/>Module \SystemRoot\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) F88D5000-F88DA000 (20480 bytes) <br/>Module \SystemRoot\system32\drivers\RtkHDAud.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.) AA484000-AA76F000 (3059712 bytes) <br/>Module \SystemRoot\system32\drivers\mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) F86F5000-F8701000 (49152 bytes) <br/>Module \??\C:\Program_Files\McAfee\VirusScan_Enterprise\mferkdk.sys (VSCore Code Analysis Driver/McAfee, Inc.) F8815000-F881C000 (28672 bytes) <br/>Module \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys (SunkFilt/Alcor Micro Corp.) F8825000-F882C000 (28672 bytes) <br/>Module \SystemRoot\System32\ialmdnt5.dll (Controller Hub for Intel Graphics Driver/Intel Corporation) BF020000-BF03E000 (122880 bytes) <br/>Module \SystemRoot\System32\ialmrnt5.dll (Controller Hub for Intel Graphics Driver/Intel Corporation) BF012000-BF020000 (57344 bytes) <br/>Module \SystemRoot\System32\ialmdev5.DLL (Component GHAL Driver/Intel Corporation) BF03E000-BF064000 (155648 bytes) <br/>Module \SystemRoot\System32\ialmdd5.DLL (DirectDraw(R) Driver for Intel(R) Graphics Technology/Intel Corporation) BF064000-BF125000 (790528 bytes) <br/>Module \SystemRoot\System32\ATMFD.DLL (Windows NT OpenType/Type 1 Font Driver/Adobe Systems Incorporated) BFFA0000-BFFE6000 (286720 bytes) <br/>Module \SystemRoot\system32\DRIVERS\mdmxsdk.sys (Diagnostic Interface DRIVER/Conexant) A90FC000-A90FF000 (12288 bytes) <br/>Module \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdypod.sys (GMER) A86EE000-A8703000 (86016 bytes) <br/> <br/>---- Processes - GMER 1.0.15 ---- <br/> <br/>Process C:\WINDOWS\SOUNDMAN.EXE (Realtek Sound Manager/Realtek Semiconductor Corp.) 116 <br/>Library C:\WINDOWS\SOUNDMAN.EXE (Realtek Sound Manager/Realtek Semiconductor Corp.) 0x00400000 <br/> <br/>Process C:\Program Files\McAfee\Common Framework\UdaterUI.exe (Common User Interface/McAfee, Inc.) 152 <br/>Library C:\Program Files\McAfee\Common Framework\UdaterUI.exe (Common User Interface/McAfee, Inc.) 0x00400000 <br/>Library C:\Program Files\McAfee\Common Framework\nailog2.dll (Debug Logging/McAfee, Inc.) 0x643F0000 <br/>Library C:\Program Files\McAfee\Common Framework\naCmnLib2_71.dll (Common Library/McAfee, Inc.) 0x643A0000 <br/>Library C:\Program Files\McAfee\Common Framework\naXML2_71.dll 0x644A0000 <br/>Library C:\Program Files\McAfee\Common Framework\applib.dll (CMA Application Library/McAfee, Inc.) 0x64070000 <br/>Library C:\Program Files\McAfee\Common Framework\cmalib.dll (CMA Library/McAfee, Inc.) 0x640B0000 <br/>Library C:\Program Files\McAfee\Common Framework\0409\UpdRes.dll (Common UI Resources/McAfee, Inc.) 0x645E0000 <br/>Library C:\Program Files\McAfee\Common Framework\0409\AgentRes.dll (Agent Subsystem Resources/McAfee, Inc.) 0x64050000 <br/>Library C:\Program Files\McAfee\Common Framework\SecureFrameworkFactory.dll (Secure Framework Factory/McAfee, Inc.) 0x64560000 <br/> <br/>Process C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (VirusScan tray icon/McAfee, Inc.) 172 <br/>Library C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (VirusScan tray icon/McAfee, Inc.) 0x00400000 <br/>Library C:\Program Files\McAfee\VirusScan Enterprise\LockDown.dll (Provides self-protection functionality/McAfee, Inc.) 0x140E0000 <br/>Library C:\Program Files\McAfee\VirusScan Enterprise\ftcfg.dll (Filter Configuration Resource Library/McAfee, Inc.) 0x153E0000 <br/>Library C:\Program Files\McAfee\VirusScan Enterprise\mytilus2.dll (Common Shell2 - Scanners' interface to the 5000 series engine/McAfee, Inc.) 0x14220000 <br/>Library C:\Program Files\McAfee\VirusScan Enterprise\mytilus.dll (Common Shell - Scanners' interface to the engine/McAfee, Inc.) 0x14180000 <br/>Library C:\Program Files\McAfee\VirusScan Enterprise\wmain.dll (Shared Library/McAfee, Inc.) 0x161A0000 <br/>Library C:\Program Files\McAfee\VirusScan Enterprise\shutil.dll (VirusScan Shared Utility Library/McAfee, Inc.) 0x15C80000 <br/>Library C:\Program Files\McAfee\VirusScan Enterprise\RES0900\McShield.dll (Resources for McShield/McAfee, Inc.) 0x14100000 <br/>Library C:\Program Files\McAfee\VirusScan Enterprise\Graphics.dll (VirusScan Graphics/McAfee, Inc.) 0x154A0000 <br/> <br/>Process C:\WINDOWS\ALCFDRTM.EXE (ALCFDRTM/Realtek Semiconductor Corp.) 188 <br/>Library C:\WINDOWS\ALCFDRTM.EXE (ALCFDRTM/Realtek Semiconductor Corp.) 0x00400000 <br/> <br/>Process C:\WINDOWS\ALCWZRD.EXE (RealTek AlcWzrd Application/RealTek Semicoductor Corp.) 196 <br/>Library C:\WINDOWS\ALCWZRD.EXE (RealTek AlcWzrd Application/RealTek Semicoductor Corp.) 0x00400000 <br/> <br/>Process C:\Program Files\McAfee\Common Framework\McTray.exe (McAfee Security Agent Taskbar Extension/McAfee, Inc.) 372 <br/>Library C:\Program Files\McAfee\Common Framework\McTray.exe (McAfee Security Agent Taskbar Extension/McAfee, Inc.) 0x00400000 <br/>Library C:\Program Files\McAfee\Common Framework\JrMac.dll (McAfee Security Agent Taskbar Extension Library/McAfee, Inc.) 0x66900000 <br/> <br/>Process C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (GoogleToolbarNotifier/Google Inc.) 404 <br/>Library C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (GoogleToolbarNotifier/Google Inc.) 0x00400000 <br/>Library C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\gtn.dll (GoogleToolbarNotifier/Google Inc.) 0x10000000 <br/>Library C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (GoogleToolbarNotifier/Google Inc.) 0x00C00000 <br/> <br/>Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 988 <br/>Library C:\Program Files\Bonjour\mdnsNSP.dll (Bonjour Namespace Provider/Apple Inc.) 0x16080000 <br/> <br/>Process C:\Documents and Settings\Owner\Desktop\ftng38n7.exe 1336 <br/>Library C:\Documents and Settings\Owner\Desktop\ftng38n7.exe 0x00400000 <br/> <br/>Process C:\WINDOWS\Explorer.EXE (Windows Explorer/Microsoft Corporation) 1392 <br/>Library C:\PROGRA~1\WINDOW~2\wmpband.dll (Windows Media Player Deskband/Microsoft Corporation) 0x13420000 <br/>Library C:\Program Files\McAfee\Common Framework\JrMac.dll (McAfee Security Agent Taskbar Extension Library/McAfee, Inc.) 0x66900000 <br/>Library C:\Program Files\McAfee\VirusScan Enterprise\shext.dll (Shell Extension/McAfee, Inc.) 0x15C20000 <br/>Library C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes' Anti-Malware/Malwarebytes Corporation) 0x10000000 <br/>Library C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (PDF Shell Extension/Adobe Systems, Inc.) 0x01930000 <br/> <br/>Process C:\WINDOWS\system32\spoolsv.exe (Spooler SubSystem App/Microsoft Corporation) 1476 <br/>Library C:\WINDOWS\system32\CNMLM75.DLL (IJ Language Monitor/CANON INC.) 0x66F40000 <br/>Library C:\WINDOWS\System32\spool\PRTPROCS\W32X86\CNMPD75.DLL (IJ Print Processor Dispatcher/CANON INC.) 0x00980000 <br/>Library C:\WINDOWS\System32\spool\PRTPROCS\W32X86\filterpipelineprintproc.dll (Print Filter Pipeline Proxy/Microsoft Corporation) 0x3F420000 <br/>Library C:\Program Files\Bonjour\mdnsNSP.dll (Bonjour Namespace Provider/Apple Inc.) 0x16080000 <br/> <br/>Process C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.) 1640 <br/>Library C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.) 0x00400000 <br/> <br/>Process C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1692 <br/>Library C:\WINDOWS\System32\strmfilt.dll (Stream Filter Library/Microsoft Corporation) 0x6F290000 <br/> <br/>Process C:\Program Files\Java\jre6\bin\jqs.exe (Java(TM) Quick Starter Service/Sun Microsystems, Inc.) 1716 <br/>Library C:\Program Files\Java\jre6\bin\jqs.exe (Java(TM) Quick Starter Service/Sun Microsystems, Inc.) 0x00400000 <br/> <br/>---- Services - GMER 1.0.15 ---- <br/> <br/>Service C:\WINDOWS\system32\DRIVERS\aliide.sys (ALi mini IDE Driver/Acer Laboratories Inc.) [BOOT] AliIde <br/>Service C:\WINDOWS\system32\DRIVERS\amdagp.sys (AMD Win2000 AGP Filter/Advanced Micro Devices, Inc.) [BOOT] amdagp <br/>Service C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Mobile Device Service/Apple Inc.) [DISABLED] Apple Mobile Device <br/>Service C:\WINDOWS\system32\DRIVERS\asc.sys (AdvanSys SCSI Controller Driver/Advanced System Products, Inc.) [BOOT] asc <br/>Service C:\WINDOWS\system32\DRIVERS\asc3550.sys (AdvanSys Ultra-Wide PCI SCSI Driver/Advanced System Products, Inc.) [BOOT] asc3550 <br/>Service C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.) [AUTO] Bonjour Service <br/>Service C:\ComboFix\catchme.sys [MANUAL] catchme <br/>Service C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD PCI IDE Bus Driver/CMD Technology, Inc.) [BOOT] CmdIde <br/>Service C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Disk Array Controller Driver/Mylex Corporation) [BOOT] dac2w2k <br/>Service C:\WINDOWS\system32\DRIVERS\e100b325.sys (Intel(R) PRO/100 Adapter NDIS 5.1 driver/Intel Corporation) [MANUAL] E100B <br/>Service C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys (CD DVD Filter/GEAR Software Inc.) [MANUAL] GEARAspiWDM <br/>Service C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (gusvc/Google) [MANUAL] gusvc <br/>Service C:\WINDOWS\system32\drivers\HdAudio.sys (High Definition Audio Function Driver v1.0a/Windows (R) Server 2003 DDK provider) [MANUAL] HdAudAddService <br/>Service C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (High Definition Audio Bus Driver v1.0a/Windows (R) Server 2003 DDK provider) [MANUAL] HDAudBus <br/>Service C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys (HSF_HWB2 WDM driver/Conexant Systems, Inc.) [MANUAL] HSFHWBS2 <br/>Service C:\WINDOWS\system32\DRIVERS\HSF_DP.sys (HSF_DP driver/Conexant Systems, Inc.) [MANUAL] HSF_DP <br/>Service C:\WINDOWS\system32\DRIVERS\ialmnt5.sys (Intel Graphics Miniport Driver/Intel Corporation) [MANUAL] ialm <br/>Service C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (IDriverT Module/Macrovision Corporation) [MANUAL] IDriverT <br/>Service (Ahead MRW Filter Driver/Ahead Software AG) [SYSTEM] incdrm <br/>Service C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.) [MANUAL] IntcAzAudAddService <br/>Service C:\Program Files\iPod\bin\iPodService.exe (iPodService Module/Apple Inc.) [MANUAL] iPod Service <br/>Service C:\Program Files\Java\jre6\bin\jqs.exe (Java(TM) Quick Starter Service/Sun Microsystems, Inc.) [AUTO] JavaQuickStarterService <br/>Service C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [MANUAL] LiveUpdate <br/>Service C:\Program Files\McAfee\Common Framework\FrameworkService.exe (Framework Service/McAfee, Inc.) [MANUAL] McAfeeFramework <br/>Service C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe (On-Access Scanner service/McAfee, Inc.) [MANUAL] McShield <br/>Service C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe (Task Manager/McAfee, Inc.) [MANUAL] McTaskManager <br/>Service C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Diagnostic Interface DRIVER/Conexant) [AUTO] mdmxsdk <br/>Service C:\WINDOWS\system32\drivers\mfeapfk.sys (Access Protection Filter Driver/McAfee, Inc.) [MANUAL] mfeapfk <br/>Service C:\WINDOWS\system32\drivers\mfeavfk.sys (Anti-Virus File System Filter Driver/McAfee, Inc.) [MANUAL] mfeavfk <br/>Service C:\WINDOWS\system32\drivers\mfebopk.sys (Buffer Overflow Protection Driver/McAfee, Inc.) [MANUAL] mfebopk <br/>Service C:\WINDOWS\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) [MANUAL] mfehidk <br/>Service C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys (VSCore Code Analysis Driver/McAfee, Inc.) [SYSTEM] mferkdk <br/>Service C:\WINDOWS\system32\drivers\mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) [SYSTEM] mfetdik <br/>Service C:\WINDOWS\system32\DRIVERS\mraid35x.sys (MegaRAID RAID Controller Driver for Windows Whistler 32/American Megatrends Inc.) [BOOT] mraid35x <br/>Service C:\WINDOWS\system32\DRIVERS\MRVW245.sys (NDIS 5.1 driver/Marvell Semiconductor, Inc) [MANUAL] MRVW245 <br/>Service MSDTC Bridge 3.0.0.0 <br/>Service C:\WINDOWS\system32\DRIVERS\mxnic.sys (Macronix MX987xx Family Fast Ethernet Adapter Window Driver /Macronix International Co., Ltd. ) [MANUAL] mxnic <br/>Service C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 /NVIDIA Corporation) [MANUAL] nv <br/>Service C:\Program [DISABLED] PrismXL <br/>Service C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) [MANUAL] Ptilink <br/>Service C:\WINDOWS\System32\Drivers\PxHelp20.sys (Px Engine Device Driver for Windows 2000/XP/Sonic Solutions) [BOOT] PxHelp20 <br/>Service C:\WINDOWS\system32\DRIVERS\ql1080.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation) [BOOT] ql1080 <br/>Service C:\WINDOWS\system32\DRIVERS\ql12160.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation) [BOOT] ql12160 <br/>Service C:\WINDOWS\system32\DRIVERS\ql1280.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation) [BOOT] ql1280 <br/>Service C:\WINDOWS\system32\DRIVERS\rt2500usb.sys (Sample Driver for Ralink 802.11g Wireless USB Adapters/Ralink Technology Inc.) [MANUAL] rt2500usb <br/>Service C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision SECURITY Driver/Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [MANUAL] Secdrv <br/>Service ServiceModelEndpoint 3.0.0.0 <br/>Service ServiceModelOperation 3.0.0.0 <br/>Service ServiceModelService 3.0.0.0 <br/>Service C:\WINDOWS\system32\DRIVERS\sisagp.sys (SiS NT AGP Filter/Silicon Integrated Systems Corporation) [BOOT] sisagp <br/>Service SMSvcHost 3.0.0.0 <br/>Service SNMP <br/>Service C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec AIC-6x60 series SCSI miniport/Adaptec, Inc.) [BOOT] Sparrow <br/>Service C:\WINDOWS\System32\Drivers\sunkfilt.sys (SunkFilt/Alcor Micro Corp.) [MANUAL] SunkFilt <br/>Service C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc. SCSI Miniport Driver/Symbios Logic Inc.) [BOOT] symc810 <br/>Service C:\WINDOWS\system32\DRIVERS\symc8xx.sys (Symbios 8XX SCSI Miniport Driver/LSI Logic) [BOOT] symc8xx <br/>Service C:\WINDOWS\system32\DRIVERS\sym_hi.sys (Symbios Hi-Perf SCSI Miniport Driver/LSI Logic) [BOOT] sym_hi <br/>Service C:\WINDOWS\system32\DRIVERS\sym_u3.sys (Symbios Ultra3 SCSI Miniport Driver/LSI Logic) [BOOT] sym_u3 <br/>Service C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Ultra66 Miniport Driver/Promise Technology, Inc.) [BOOT] ultra <br/>Service C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple Mobile Device USB Driver/Apple, Inc.) [MANUAL] USBAAPL <br/>Service C:\WINDOWS\system32\DRIVERS\viaide.sys (Generic PCI IDE Bus Driver/Microsoft Corporation) [BOOT] ViaIde <br/>Service C:\Program Files\Viewpoint\Common\ViewpointService.exe (ViewMgr/Viewpoint Corporation) [DISABLED] Viewpoint Manager Service <br/>Service system32\DRIVERS\wanatw4.sys [MANUAL] wanatw <br/>Service C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys (HSF_CNXT driver/Conexant Systems, Inc.) [MANUAL] winachsf <br/>Service Windows Workflow Foundation 3.0.0.0 <br/>Service Wmi <br/> <br/>---- EOF - GMER 1.0.15 ---- <br/> <br/> <br/><br /><br />
Posted 9/27/2009 8:17 PM
#77803
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
Seeing the Gmer results I guess we will need to revisit issues with Malwarebytes. Looks like a registry key related to that is locked in some manner. <br/> <br/> <br/>Open Notepad (Start - Run, type notepad then press Enter) and copy the following text into a new file: <br/>[code]cd\ <br/>subinacl /subkeyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Classes" /setowner=everyone[/code] <br/>Save the file to the desktop as "againperm.bat" <br/> <br/>Make sure to use the quotes "" in the name. <br/> <br/>Then double-click on againperm.bat. A window should open and you will see some procedures run --- this is normal. Once they have completed the changes the window should close. <br/> <br/>---------- <br/> <br/>Then try running Malwarebytes again please.
Posted 9/27/2009 9:02 PM
#77804
User avatar

krbam2 Valued member

Date Joined Nov 2016
Total Posts: 24
I ran it again. It ran OK I think - didn't take as long as last time. <br/> <br/>Malwarebytes still will not run, same errors...Run-time 0 then run-time 440 Autoomation error.
Posted 9/27/2009 11:57 PM
#77806
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
We will switch to a different installed scan there for now. I have not trialed the following recently, so admit my steps for it may not quite match it's current settings (if you would, let me know what you see as needing a change). <br/> <br/> <br/>Click here and download the free version of SUPERAntiSpyware and install it. <br/> <br/>After installation accept any prompts to allow SUPERAntiSpyware to install the latest infection definition files. Next follow the prompts to complete the installation. For now, uncheck the option to have SUPERAntiSpyware "Automatically check for program and definition updates". Providing an email address and allowing the software to send diagnostic reports to it's research center are up to you. Do NOT allow SUPERAntiSpyware to Protect your Home Page settings. <br/> <br/>Once the installation is complete open SUPERAntiSpyware and press the Preferences button. Under the General and Startup tab, uncheck the following (leaving all other settings as is). <br/> <br/>Start-up Options: <br/>*Start SUPERAntiSpyware when Windows starts <br/> <br/>Automatic Updates: <br/>*Check for program updates when the application starts. <br/>Start-up Scanning: <br/>*Check for updates before scanning on startup. <br/> <br/>Then select Close. Don't scan just yet though. <br/> <br/> <br/>Also Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF). <br/> <br/>If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective. SUPERAntiSpyware tends to have logs full of cookie finds unless this is done. <br/> <br/>------------- <br/> <br/>Open SUPERAntiSpyware and click the Scan your Computer button. You may need to start SUPERAntiSpyware, then right click the Taskbar icon (the little bug shaped icon) and select "Scan for Spyware, Adware, Malware..." to access the scan panel. Making sure that Fixed Drive (NTFS) is checked (typically the C Drive), check "Perform Complete Scan", then click Next. SUPERAntiSpyware will now complete a system scan. <br/> <br/> <br/>SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon). <br/> <br/>Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here. <br/> <br/> <br/>Run a new ComboFix scan, and post that and the SUPERAntiSpyware log please.
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Friday, December 9, 2016, 10:41 AM (GMT +1)
There are a total of 61,163 posts in 13,450 threads.
In the last 3 days there were 1 new threads and 3 reply posts.

Who's online

This forum has 37,968 registered members. Please welcome our newest member, Crawlerz.
There are currently no users on-line.