Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Go to first new post Old computer running as slow as molasses
Go to first new post MBR PhysicalDrive0 issue
Go to first new post Phantom audio ads and popup ads
Go to first new post Email Hacked! Information compromised he ...
Go to first new post computer completely freezes randomly
Go to first new post Sudden failure of utilities
Go to first new post Very slow computer and comboFIX said it ...
Go to first new post Infection/browser hijack causing memory ...
Go to first new post Strange "Incorrect Password" e ...
Go to first new post Malware? Redirecting, various ads, unab ...
Go to first new post Virus
Go to first new post Windows 7 Not Booting: autochk program n ...
Go to first new post Internet Explorer
Go to first new post Win XP only starts on CMD mode
Go to first new post Audio has disappeared
Search Search
Search for:
Tech Support Guy Forums > > >

Solved: Access Denied Malware


(!)

Reply
Page 1 of 3 1 23
rdizy's Avatar
Junior Member with 25 posts.
THREAD STARTER
  
Join Date: Sep 2010
01-Nov-2010, 10:46 PM #1
Access Denied Malware
I could really use some help diagnosing some Malware.
I'm getting Access Denied when I try to run HijackThis and GMER is freezing on me.
I was able to run DDS in SafeMode. Results are attached.


DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL
Run by Michelle at 20:11:04.40 on Mon 11/01/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1271 [GMT -6:00]
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Michelle\Desktop\dds.scr
============== Pseudo HJT Report ===============
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Settings,ProxyOverride = localhost
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ShutterflyStudio] c:\documents and settings\michelle\desktop\studio\bin\SFlyStudio.exe /trayonly
uRun: [SmileboxTray] "c:\documents and settings\michelle\application data\smilebox\SmileboxTray.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxps://securedoc.saskpower.com/qp2.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179431535093
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180668558656
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://www.walmartphotocentre.ca/upload/activex/v2_0_0_12/PCAXSetupv2.0.0.12.cab?
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
S2 gupdate1c95c931cacec94;Google Update Service (gupdate1c95c931cacec94);c:\program files\google\update\GoogleUpdate.exe [2008-12-12 133104]
S2 Halt;Halt;c:\program files\soccerwinners\halt\Halt.exe [2007-10-1 45056]
S2 HaltMonitor;HaltMonitor;c:\program files\soccerwinners\halt\HaltMonitor.exe [2007-10-1 20480]
S2 RGFILERW;RGFILERW;\??\c:\windows\system32\drivers\rgfilerw.sys --> c:\windows\system32\drivers\RGFILERW.SYS [?]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\rick\my documents\inter-tel\collaboration client 2.0\lkWebLink.exe [2007-9-20 32768]
=============== Created Last 30 ================
2010-10-13 12:57:12 3247 ----a-w- c:\windows\system32\wbem\Outlook_01cb6ad627230746.mof
2010-10-12 21:18:37 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-12 21:18:34 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-12 21:11:30 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
==================== Find3M ====================
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 18:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 18:23:26 974848 ------w- c:\windows\system32\dllcache\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\dllcache\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-08 15:57:10 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-09-08 15:57:10 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-09-04 20:17:41 42112 ----a-w- c:\windows\system32\drivers\IMAPI.SYS
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-09-01 11:51:14 285824 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 13:42:52 1852800 ------w- c:\windows\system32\dllcache\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 08:02:29 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-27 05:57:43 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-08-26 13:39:50 357248 ------w- c:\windows\system32\dllcache\srv.sys
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-26 05:36:02 10841088 ------w- c:\windows\system32\dllcache\wmp.dll
2010-08-25 11:30:33 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-08-25 11:29:05 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2010-08-23 16:12:04 617472 ------w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 13:17:06 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-16 08:45:00 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2008-08-24 04:44:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat
============= FINISH: 20:11:52.31 ===============
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
rdizy's Avatar
Junior Member with 25 posts.
THREAD STARTER
  
Join Date: Sep 2010
02-Nov-2010, 10:39 PM #2
Anyone available to help?
To start, I think I need a way to remove AntiVirus 2010. It appears to be bogus.
oldman960's Avatar
Computer Specs
Malware Removal Specialist with 166 posts.
  
Join Date: Apr 2010
03-Nov-2010, 02:38 AM #3
Hi rdizy, welcome to the forum.


To make cleaning this machine easier
  • Please do not uninstall/install any programs unless asked to
    It is more difficult when files/programs are appearing in/disappearing from the logs.
  • Please do not run any scans other than those requested
  • Please follow all instructions in the order posted
  • All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
  • Do not attach any logs/reports, etc.. unless specifically requested to do so.
  • If you have problems with or do not understand the instructions, Please ask before continuing.
  • Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.


Click your start button, right click on My Computer
  • Click properties
  • click the Hardware tab
  • click Device manager button
  • click the + sign beside System Devices
  • look for something with cmz vmkd or vbma in name it should say virtual bus
  • right click the entry & select uninstall

Please read through the instructions to familarize youself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Link 1or Link 2 to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    -Tools->Options->Main tab
    -Set to "Always ask me where to Save the files".
  • During the download, before you save it to your desktop, rename Combofix to jgh.exe
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click on ComboFix.exe (jgh.exe in your case) & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



Please post back with
  • combofix log
How is the computer?
Thanks
rdizy's Avatar
Junior Member with 25 posts.
THREAD STARTER
  
Join Date: Sep 2010
03-Nov-2010, 11:13 PM #4
Thanks for helping. I appreciate it.
I can't get an internet connection on the infected computer (I tried regular and safe mode with networking). Can I download Combofix to another machine and transfer it to the infected machine's desktop via USB memory stick?
oldman960's Avatar
Computer Specs
Malware Removal Specialist with 166 posts.
  
Join Date: Apr 2010
04-Nov-2010, 02:22 AM #5
Hi rdizy,


Quote:
Can I download Combofix to another machine and transfer it to the infected machine's desktop via USB memory stick?
Yes you can. Be sure it is renamed as per the previous instructions and transfered directly to the infected computer's desktop.

First we'll protect your usb device and clean computer the best we can.

Run this on the clean computer with the usb device attached.



Download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


Since you do not have an internet connection we will also manually install the Recovery Console. Once the Recovery Console is installed you should be given the option to continue scanning for malware.
Make sure you have done any other instructions as requested in the previous post before running combofix.


Download this file Pro and transfer it directly to your infected computers desktop.


Make sure the copy of combofix (renamed) you have is also located on the desktop.

With your left mouse button, drag the file onto the combofix icon as shown below. This will start combofix so don't do anything else. Also make sure your security programs have been disabled per the previous instructions.


Follow the prompts from there.

Thanks
rdizy's Avatar
Junior Member with 25 posts.
THREAD STARTER
  
Join Date: Sep 2010
04-Nov-2010, 09:50 PM #6
Not sure if the flash disenfector worked, I downloaded and ran it but it didn't seem to do anything?

I ran combofix like you specified. There's still issues with the computer... I still can't connect to the internet and I don't have access to start MSE.

Attached is combo fix log...
ComboFix 10-11-03.04 - Rick 11/04/2010 19:25:22.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1172 [GMT -6:00]
Running from: c:\documents and settings\Rick\Desktop\jgh.exe
Command switches used :: G:\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\.wtav
c:\documents and settings\Rick\Application Data\PriceGong
c:\documents and settings\Rick\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\z.xml
c:\windows\system32\drivers\bcm4sbxp.sys
c:\windows\system32\Drivers\vbmac8a7.sys
c:\windows\system32\spool\prtprocs\w32x86\IQ31c9s.dll
c:\windows\system32\spool\prtprocs\w32x86\QG55a.dll
c:\windows\system32\USRINI~1.EXE
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_USERINIT
-------\Service_userinit

((((((((((((((((((((((((( Files Created from 2010-10-05 to 2010-11-05 )))))))))))))))))))))))))))))))
.
2010-11-05 01:18 . 2010-11-05 01:18 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\PCHealth
2010-11-01 14:19 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F5BC9D3B-368A-47F9-AE98-16B9C377E81E}\mpengine.dll
2010-10-12 21:18 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-12 21:18 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-12 21:11 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 20:51 . 2009-10-02 20:25 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 23:21 . 2009-11-12 23:16 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-09-18 18:23 . 2001-08-18 05:36 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-18 05:36 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-18 05:36 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-18 05:36 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2006-06-23 17:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2002-08-29 10:41 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2001-08-18 05:36 17408 ------w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2004-08-04 05:59 389120 ----a-w- c:\windows\system32\html.iec
2010-09-04 20:17 . 2010-09-04 20:17 42112 ----a-w- c:\windows\system32\drivers\IMAPI.SYS
2010-09-01 11:51 . 2001-08-17 21:55 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2002-08-29 09:14 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2001-08-18 05:36 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2001-08-18 05:36 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2001-08-18 05:24 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-16 02:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2002-08-29 10:40 617472 ------w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-12 155648]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSv c]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 23:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
2008-08-13 20:34 1891416 ----a-w- c:\garmin\gStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 17:58 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-06-08 20:44 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2005-06-08 21:24 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2005-06-08 21:14 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2005-07-19 23:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2009-11-10 16:14 443728 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-10-18 17:34 5724184 ----a-w- c:\progra~1\WI1F86~1\MESSEN~1\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-09-15 10:34 1094224 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpenDNS Updater]
2009-11-16 19:58 839168 ----a-w- c:\program files\OpenDNS Updater\OpenDNSUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-07-12 04:46 155648 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
2010-10-05 06:52 304448 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
2001-07-24 21:34 36864 ----a-w- c:\cpqs\scom\srmclean.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-11-19 01:59 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gupdate1c95c931cacec94"=2 (0x2)
"MsMpSvc"=2 (0x2)
"MDM"=2 (0x2)
"LeapFrog Connect Device Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
R2 Halt;Halt;c:\program files\Soccerwinners\Halt\Halt.exe [10/1/2007 3:39 PM 45056]
R2 HaltMonitor;HaltMonitor;c:\program files\Soccerwinners\Halt\HaltMonitor.exe [10/1/2007 3:39 PM 20480]
S2 gupdate1c95c931cacec94;Google Update Service (gupdate1c95c931cacec94);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 1:52 PM 133104]
S2 RGFILERW;RGFILERW;\??\c:\windows\system32\Drivers\RGFILERW.SYS --> c:\windows\system32\Drivers\RGFILERW.SYS [?]
S3 vbmac8a7;Virtual Bus for Microsoft ACPI-Compliant System; [x]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\Rick\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [9/20/2007 5:10 PM 32768]
.
Contents of the 'Scheduled Tasks' folder
2010-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
2010-10-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 03:40]
2010-11-05 c:\windows\Tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theglobeandmail.com/
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-04 19:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2768)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2010-11-04 19:42:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-05 01:42
Pre-Run: 5,804,474,368 bytes free
Post-Run: 6,879,375,360 bytes free
- - End Of File - - 7707E7BE2A02538E7F37C7FAA66124A1
oldman960's Avatar
Computer Specs
Malware Removal Specialist with 166 posts.
  
Join Date: Apr 2010
04-Nov-2010, 11:11 PM #7
Hi rdizy.

Sorry should have mentioned that there isn't any display when FDD is ran.

You have several items disabled in msconfig. Were these your doing? There is one related to MSE

MSSE c:\program files\Microsoft Security Essentials\msseces.exe

We'll work in getting the permissions sorted out and your connection.


On the clean computer

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
Code:
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
Driver::
vbmac8a7
RGFILERW

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save

Transfer CFScript.txt to the desktop of the infected computer.

Please follow all previous instructions regarding security programs.

Using your mouse left button, drag the file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again. Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


Please post the log.



When trying to connect do you recieve an error message? If so what is the message?
  • Click your start button, right click on My Computer
  • Click properties
  • click the Hardware tab
  • click Device manager button
Anything in the list with a yellow ! mark?

Still in device manager click the + sign beside Network adapters. What is listed there?



Back on the clean computer
  • Right click the attached file user.zip
  • Select Save target as
  • Set the Save in box to Desktop or the usb device which you are using for transfering files.


Transfer the files to the infected computer's desktop.
  • Extract the files to your desktop
  • Locate run.bat and double click it to run it
  • Please be patient and let it run
  • When it's finished, a log will be saved at C:\junction.txt
  • Please post it's contents in your next reply

Please post back with
  • combofix log
  • junction.txt
  • please answer any questions asked
Besides MSE and the connection are you experiencing any other problems?

Thanks
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
rdizy's Avatar
Junior Member with 25 posts.
THREAD STARTER
  
Join Date: Sep 2010
05-Nov-2010, 12:28 AM #8
Hi,
I may have had some items disabled in msconfig but MSE was not one of them.
Prior to the infection, MSE was running normally.
Internet Connection error message is the standard:
Internet Explorer cannot display the webpage (similar to when you unplug your modem)
Device Manager, Network Adaptors shows Broadcom 440x 10/100 Integrated Controller as yellow !
Device Status: Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)
Should I try to Rollback Driver?
As far as other problems, I do not have permission to access HiJackThis, MalewareBytes, can't start the MSE service, etc.

Here's the logs...
ComboFix 10-11-03.04 - Rick 11/04/2010 21:49:51.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1145 [GMT -6:00]
Running from: c:\documents and settings\Rick\Desktop\jgh.exe
Command switches used :: G:\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_RGFILERW
-------\Service_RGFILERW
-------\Service_vbmac8a7

((((((((((((((((((((((((( Files Created from 2010-10-05 to 2010-11-05 )))))))))))))))))))))))))))))))
.
2010-11-05 01:18 . 2010-11-05 01:18 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\PCHealth
2010-11-01 14:19 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F5BC9D3B-368A-47F9-AE98-16B9C377E81E}\mpengine.dll
2010-10-12 21:18 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-12 21:18 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-12 21:11 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 20:51 . 2009-10-02 20:25 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 23:21 . 2009-11-12 23:16 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-09-18 18:23 . 2001-08-18 05:36 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-18 05:36 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-18 05:36 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-18 05:36 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2006-06-23 17:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2002-08-29 10:41 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2001-08-18 05:36 17408 ------w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2004-08-04 05:59 389120 ----a-w- c:\windows\system32\html.iec
2010-09-04 20:17 . 2010-09-04 20:17 42112 ----a-w- c:\windows\system32\drivers\IMAPI.SYS
2010-09-01 11:51 . 2001-08-17 21:55 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2002-08-29 09:14 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2001-08-18 05:36 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2001-08-18 05:36 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2001-08-18 05:24 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-16 02:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2002-08-29 10:40 617472 ------w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-12 155648]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSv c]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 23:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
2008-08-13 20:34 1891416 ----a-w- c:\garmin\gStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 17:58 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-06-08 20:44 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2005-06-08 21:24 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2005-06-08 21:14 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2005-07-19 23:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2009-11-10 16:14 443728 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-10-18 17:34 5724184 ----a-w- c:\progra~1\WI1F86~1\MESSEN~1\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-09-15 10:34 1094224 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpenDNS Updater]
2009-11-16 19:58 839168 ----a-w- c:\program files\OpenDNS Updater\OpenDNSUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-07-12 04:46 155648 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
2010-10-05 06:52 304448 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
2001-07-24 21:34 36864 ----a-w- c:\cpqs\scom\srmclean.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-11-19 01:59 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gupdate1c95c931cacec94"=2 (0x2)
"MsMpSvc"=2 (0x2)
"MDM"=2 (0x2)
"LeapFrog Connect Device Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
R2 Halt;Halt;c:\program files\Soccerwinners\Halt\Halt.exe [10/1/2007 3:39 PM 45056]
R2 HaltMonitor;HaltMonitor;c:\program files\Soccerwinners\Halt\HaltMonitor.exe [10/1/2007 3:39 PM 20480]
S2 gupdate1c95c931cacec94;Google Update Service (gupdate1c95c931cacec94);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 1:52 PM 133104]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\Rick\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [9/20/2007 5:10 PM 32768]
.
Contents of the 'Scheduled Tasks' folder
2010-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
2010-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
2010-10-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 03:40]
2010-11-05 c:\windows\Tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theglobeandmail.com/
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-04 21:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2028)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2010-11-04 22:03:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-05 04:03
ComboFix2.txt 2010-11-05 01:42
Pre-Run: 6,908,182,528 bytes free
Post-Run: 6,900,883,456 bytes free
- - End Of File - - ED82497536ED5DE89F7E3BF3A90A34EA




Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com

Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.
Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
...

.\\?\c:\\Documents and Settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Mnt\000100130017F614\0: MOUNT POINT
Substitute Name: Volume{073e84df-3de3-11df-8e85-0002e33dcb0d}\
\\?\c:\\Documents and Settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Mnt\000100130017F614\1: MOUNT POINT
Substitute Name: Volume{073e84e0-3de3-11df-8e85-0002e33dcb0d}\

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp: Access is denied.
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\MpScanCache-1.bin: Access is denied.
..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE: Access is denied.
..

...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.
.

...

...
Failed to open \\?\c:\\Program Files\Microsoft Security Essentials\MsMpEng.exe: Access is denied.

...

...
Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.

.
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.
..

...

...

...

...

...

...

..
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\callcont.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\gdi32.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\h323.tsp: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\h323msp.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\helpctr.exe: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\lsasrv.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\mf3216.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\msasn1.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\msgina.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\mst120.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\netapi32.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\nmcom.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\rtcdll.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\schannel.dll: Access is denied.
.

...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5 f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e


...

...

...

...

...

...

...

...

...
oldman960's Avatar
Computer Specs
Malware Removal Specialist with 166 posts.
  
Join Date: Apr 2010
05-Nov-2010, 02:00 AM #9
Hi rdizy,

Let's see if we can get this batchfile to restore the permissions. We will also need a tool.

Please download Inherit by sUBs and save it to your Desktop or the usb device.

Next, create this batch file on the clean computer.


Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad.
Do Not copy the word CODE

Code:
"%userprofile%\desktop\Inherit.exe" "c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"%userprofile%\desktop\Inherit.exe" "c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
"%userprofile%\desktop\Inherit.exe" "c:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp"
"%userprofile%\desktop\Inherit.exe" "Program Files\Microsoft Security Essentials\MsMpEng.exe"
"%userprofile%\desktop\Inherit.exe" "c:\Program Files\Trend Micro\HijackThis\HijackThis.exe"

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop or the usb device.
  • In the filename box, type (including quotation marks) as the filename: "myfix.bat"
  • Click save
The file will be called myfix.bat with an icon that looks like a gear.


Transfer the file along with the program, Inherit.exe to the infected computer's desktop.

Double click myfix.bat to run it.

Next


Click your start button, click run
  • in the run box type msconfig and click ok
  • click the startup tab
  • place a checkmark next to MSSE c:\program files\Microsoft Security Essentials\msseces.exe
  • click apply, click ok
  • reboot your computer
Can you access the programs now?

We'll look at your network adapter after you post back.

Thanks
rdizy's Avatar
Junior Member with 25 posts.
THREAD STARTER
  
Join Date: Sep 2010
05-Nov-2010, 11:45 PM #10
Hi,
Still can't "Start Now" Microsoft Security Essentials.

Malware Bytes and HijackThis now open. I did not try to run a scan.

I noticed in msconfig, that mssecs was in there twice, one was checked as a startup item and the other was not. I checked the one that was not and restarted.

MSE does start, but the service is stopped... I'm not sure I made that clear on previous posts.
The message is "Microstf Security Essentials isn't monitoring your computer becuase the program's service stopped. You should restart it now"

When I click "Start Now" I get "Couldn't start Microsoft Security Essentials service. Access Denied."
oldman960's Avatar
Computer Specs
Malware Removal Specialist with 166 posts.
  
Join Date: Apr 2010
06-Nov-2010, 01:51 PM #11
Hi rdizy,

I replied last night but I don't see the post.


Please download SystemLook from one of the links below and save it to your usb and transfer it to your infected computer's desktop.

Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield
  • Do not copy the word CODE , please note the script starts with the :

    Code:
    :filefind
ndis.*
 
:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndis] /s
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc\security]
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt





Next
  • Click your start button, click run
  • type rsop.msc and click ok
  • click the + signs beside Computer Configuration - Windows Settings - Security Settings
  • click on System Services
  • Look for Microsoft Antimalware Service
Any restictions listed there?

Thanks
Last edited by oldman960; 06-Nov-2010 at 01:57 PM..
rdizy's Avatar
Junior Member with 25 posts.
THREAD STARTER
  
Join Date: Sep 2010
06-Nov-2010, 11:22 PM #12
Hi again,

SystemLook.txt output is below.

I didn't see any restrictions in Resultant Set of Policy.
All System Servcies are startup = undefined and permission = undefined
If I double click Microsoft Antimalware Service the startup mode options are greyed out (i.e. I can't change them) but I can see that the default startup mode = disabled.

SystemLook 04.09.10 by jpshortstuff
Log created at 21:15 on 06/11/2010 by Rick
Administrator - Elevation successful
========== filefind ==========
Searching for "ndis.*"
C:\i386\NDIS.SY_ --a---- 87077 bytes [18:38 17/05/2007] [14:00 31/03/2003] D032D6F2D040400F7CEDDAF57701176A
C:\WINDOWS\$NtServicePackUninstall$\ndis.sys -----c- 182912 bytes [03:29 24/08/2008] [06:14 04/08/2004] 558635D3AF1C7546D26067D5D9B6959E
C:\WINDOWS\ERDNT\cache\ndis.sys --a---- 182656 bytes [03:34 20/11/2009] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\ServicePackFiles\i386\ndis.sys ------- 182656 bytes [06:14 04/08/2004] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\system32\drivers\ndis.sys --a---- 182656 bytes [09:09 29/08/2002] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
Searching for " "
No files found.
========== reg ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndis]
"DisplayName"="NDIS System Driver"
"ErrorControl"= 0x0000000001 (1)
"Group"="NDIS Wrapper"
"Start"= 0x0000000000 (0)
"Type"= 0x0000000001 (1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndis\MediaTypes]
(No values found)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndis\Parameters]
"ProcessorAffinityMask"= 0x00ffffffff (-1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndis\Enum]
"0"="Root\LEGACY_NDIS\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc]
"ServiceSidType"= 0x0000000001 (1)
"RequiredPrivileges"="SeLoadDriverPrivilege SeImpersonatePrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeChangeNotifyPrivilege SeSecurityPrivilege SeShutdownPrivilege SeIncreaseQuotaPrivilege SeAssignPrimaryTokenPrivilege"
"Type"= 0x0000000010 (16)
"Start"= 0x0000000002 (2)
"ErrorControl"= 0x0000000001 (1)
"ImagePath"=""c:\Program Files\Microsoft Security Essentials\MsMpEng.exe""
"DisplayName"="Microsoft Antimalware Service"
"Group"="COM Infrastructure"
"DependOnService"="RpcSs"
"DependOnGroup"=" "
"ObjectName"="LocalSystem"
"Description"="Helps protect users from malware and other potentially unwanted software"
"FailureActions"=80 51 01 00 01 00 00 00 01 00 00 00 03 00 00 00 48 00 4f 00 01 00 00 00 98 3a 00 00 01 00 00 00 98 3a 00 00 00 00 00 00 00 00 00 00 (REG_BINARY)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc\security]
"Security"=01 00 14 80 a8 00 00 00 b4 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 78 00 05 00 00 00 00 00 18 00 9d 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 21 02 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 (REG_BINARY)

-= EOF =-
Last edited by rdizy; 06-Nov-2010 at 11:28 PM..
oldman960's Avatar
Computer Specs
Malware Removal Specialist with 166 posts.
  
Join Date: Apr 2010
07-Nov-2010, 10:59 PM #13
Hi rdizy,


We may need to download a driver for your Network Adapter. What brand of computer do you have?

Still looking into the MSE problem.


Try this. Copy and paste the following into a notepad, name it something you will remember and transfer it to the infected computer.

Code:
"%userprofile%\desktop\Inherit.exe" "c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\MpScanCache-1.bin"

On the infected computer
  • open the notepad you just made
  • right click in the notepad and click select all
  • right click in the notepad again and select copy
Click your start button click run. In the small white field in the run box, right click and select paste. Click ok.


Let's try to start MSE from a different location


Click your start button click run.
  • In the run box type services.msc
  • hit enter
In the list locate Microsoft Antimalware Service
  • right click on it and select properties
  • In the service status section click Start
Did it start or did you recieve an error message?


While you are in there please check the status of Windows Management Instrumentation

Thanks
rdizy's Avatar
Junior Member with 25 posts.
THREAD STARTER
  
Join Date: Sep 2010
07-Nov-2010, 11:15 PM #14
Hi,
I have an older machine. Its an HP D220.

I ran the script and it said OK.

I tried starting the service the way you suggested but again get Access Denied.

The Windows Management Instrumentation is Started.


I'm wondering if the MSE service cannot start because AntiVirus 2010 is still on my PC (at least in some shape or form). In Add/Remove Programs I see Antivirus 2010. That is bogus software. I wonder if I should try to remove it?
Last edited by rdizy; 07-Nov-2010 at 11:25 PM..
rdizy's Avatar
Junior Member with 25 posts.
THREAD STARTER
  
Join Date: Sep 2010
07-Nov-2010, 11:33 PM #15
I just downloaded the Broadcom network driver from HP. (sp25326.exe)
http://h20000.www2.hp.com/bizsupport...5&mode=4&idx=1

At least, I'm pretty sure this is what I would need?
Let me know if/when you think I should try installing it.
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 1 of 3 1 23
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join Today!

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


Similar Threads
Title Thread Starter Forum Replies Last Post
Windows Service Pack 3 - Access Denied blom09 Windows XP 1 05-Dec-2008 10:29 AM
Drive Opening - Access denied valar Windows XP 6 14-Oct-2008 11:42 PM
My documents access denied error felicia0923 Windows XP 4 25-Sep-2008 09:42 PM
"documents" access denied Hard Drive transfer tinifer Windows XP 11 19-Aug-2008 10:57 PM
Roxio 6 access denied techditz All Other Software 4 18-Aug-2008 12:19 PM

TECH SUPPORT GUY
WELCOME
FOLLOW US
 
You Are Using: Server ID
All times are GMT -4. The time now is 04:09 PM.
Advertisements do not imply our endorsement of that product or service.
Copyright © 1996 - 2013 TechGuy, Inc. All rights reserved. Privacy & Terms.

VigLink badge
Trusted Website Back to the Top ↑