jstatham

Here is the report. I think all the malware is going but sometime IE is showing page cannot be displayed. 2012-11-18 16:09:59 . 2012-11-18 16:09:59 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt 2012-11-17 03:11:58 . 2012-11-17 03:11:58 766 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Octoshape add-in for Adobe Flash Player.reg.dat 2012-11-17 03:11:58 . 2012-11-17 03:11:58 652 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Adobe Connect Add-in.reg.dat 2012-11-17 03:11:58 . 2012-11-17 03:11:58 1,342 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Adobe Connect 9 Add-in.reg.dat 2012-11-17 03:07:26 . 2012-11-18 16:18:26 17,707 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2012-11-17 02:58:35 . 2012-11-18 16:08:45 102 ----a-w- C:\Qoobox\Quarantine\catchme.log

I manually deleted the 0 key and it finally works. Now my big question is how in the world did those get added in. Thanks again for all your help.

The registry script would not run it I get an error. But I manually removed it and I found a bunch more that I think need removed. I exported them out into the attached regfile. It looks like to me all the paths need removed. regfix.txt codeitentifiers.txt

I disabled all startup items and disabled all services. When I rebooted into windows I still get the same error. I was wondering what would happen if I booted in safe mode and disabled the group policy client what would happen. Here is the event viewer log when i click on the Malewarebytes icon. I guess the big question is how do we find the rule? It looks like there is a policy on the path and not the exe. If I rename the Malwarebytes folder it works. Strange, Access to C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe has been restricted by your Administrator by location with policy rule {3036cfcf-7c01-4800-a2ca-e6a7873107d2} placed on path C:\Program Files (x86)\Malwarebytes' Anti-Malware.

Looks like nothing was found. This is crazy. mbar-log-2012-11-21 (19-29-57).txt system-log.txt

SHA256: ba01b5c7dd7937ff6cec89f47a6213b1328a0bea4683ef66bf0d47be15cc038b SHA1: cd514a9a366f32c18275e85747bd634d9da210b7 MD5: 5f56064d4f9334fa619f7ba9df2a57d0 File size: 577.9 KB ( 591760 bytes ) File name: 3A4F502390EDB5B3077D09CAAA9BDA00EC0AD3CA.exe File type: Win32 EXE Tags: signed Detection ratio: 3 / 41 Analysis date: 2011-05-23 02:51:11 UTC ( 1 year, 6 months ago ) 0 0 More details Analysis Comments Votes Additional information Antivirus Result Update AhnLab-V3 - 20110522 AntiVir - 20110523 Antiy-AVL - 20110523 Avast - 20110522 Avast5 - 20110522 AVG Win32/Heur 20110522 BitDefender - 20110523 CAT-QuickHeal (Suspicious) - DNAScan 20110522 ClamAV - 20110523 Commtouch - 20110522 Comodo - 20110523 DrWeb - 20110523 eSafe - 20110522 eTrust-Vet - 20110520 F-Prot - 20110522 Fortinet - 20110522 GData - 20110523 Ikarus - 20110523 Jiangmin - 20110522 K7AntiVirus - 20110520 Kaspersky - 20110523 McAfee - 20110523 McAfee-GW-Edition - 20110522 Microsoft - 20110522 NOD32 - 20110523 Norman - 20110522 nProtect - 20110522 Panda - 20110522 PCTools - 20110519 Prevx - 20110523 Rising Suspicious 20110522 Sophos - 20110523 SUPERAntiSpyware - 20110523 Symantec - 20110523 TheHacker - 20110520 TrendMicro - 20110522 TrendMicro-HouseCall - 20110523 VBA32 - 20110520 VIPRE - 20110523 ViRobot - 20110523 VirusBuster -

I will but the inquiero.exe is a remote control app we use for remote adminsitration that I have been running for years.

It will run in safe mode. Here is the log. Rkill2.txt

Nothing in Group Policy Editor

Still gives the error.

=============== Repairing permissions... =============== Analyzing security setting differences (This may take several minutes)... Done. Log saved to: "C:\CAT-Logs\11-20-2012 - 21.48.14.111\SECEDIT - 21.49.08.674.log" Applying default security settings (This may take several minutes)... Done. ============= Permissions Repair Complete ============== =============== Repairing explorer shell =============== Registering acelpdec.ax... Success. Registering actxprxy.dll... Success. Registering asctrls.ocx... Success. Registering daxctle.ocx... Success. Registering dhtmled.ocx... Success. Registering hhctrl.ocx... Success. Registering lcodecx.ax... Success. Registering licmgr.dll... Success. Registering mpgds.ax... Success. Registering msdxm.ocx... Success. Registering plugin.ocx... Success. Registering proctexe.ocx... Success. Registering tdc.ocx... Success. Registering wshom.ocx... Unable to determine result. Registering access.cpl... Success. Registering appwiz.cpl... Success. Registering desk.cpl... Success. Registering firewall.cpl... Success. Registering hdwwiz.cpl... Success. Registering inetcpl.cpl... Success. Registering intl.cpl... Success. Registering nusrmgr.cpl... Success. Registering netsetup.cpl... Success. Registering powercfg.cpl... Success. Registering timedate.cpl... Success. Registering wuau.cpl... Success. Registering quartz.dll... Success. Registering danim.dll... Success. Registering dxmasf.dll... Success. Registering dxtmsft.dll... Success. Registering dxtrans.dll... Success. Registering sbe.dll... Success. Registering dxva.dll... Success. Registering dxmrtp.dll... Success. Registering dxdiagn.dll... Success. Registering atl.dll... Success. Registering corpol.dll... Success. Registering dispex.dll... Success. Registering jscript.dll... Success. Registering scrrun.dll... Success. Registering scrobj.dll... Success. Registering vbscript.dll... Success. Registering wshext.dll... Success. Registering activeds.dll... Success. Registering audiodev.dll... Success. Registering browseui.dll... Success. Registering browsewm.dll... Success. Registering cabview.dll... Success. Registering cdfview.dll... Success. Registering clbcatex.dll... Success. Registering clbcatq.dll... Success. Registering comcat.dll... Success. Registering cscui.dll... Success. Registering credui.dll... Success. Registering datime.dll... Success. Registering devmgr.dll... Success. Registering dfsshlex.dll... Unable to determine result. Registering dmdlgs.dll... Success. Registering dmdeskmgr.dll... Success. Registering dmocx.dll... Success. Registering dmview.ocx... Unable to determine result. Registering dsuiext.dll... Success. Registering dsquery.dll... Success. Registering dskquoiu.dll... Success. Registering els.dll... Success. Registering es.dll... Success. Registering fontext.dll... Success. Registering hlink.dll... Success. Registering hnetcfg.dll... Success. Registering iedkcs.dll... Success. Registering iepeers.dll... Success. Registering iesetup.dll... Success. Registering ils.dll... Success. Registering imgutil.dll... Success. Registering inetcfg.dll... Success. Registering inetcomm.dll... Success. Registering inseng.dll... Success. Registering laprxy.dll... Success. Registering lmrt.dll... Success. Registering mlang.dll... Success. Registering mmcndmgr.dll... Unable to determine result. Registering mmcshext.dll... Success. Registering mscoree.dll... Success. Registering mshhtml.dll... Success. Registering msieftp.dll... Success. Registering msoe.dll... Success. Registering msoeacct.dll... Success. Registering msrc.dll... Success. Registering msrating.dll... Success. Registering mydocs.dll... Success. Registering mstime.dll... Success. Registering netcfgx.dll... Success. Registering netplwiz.dll... Success. Registering netman.dll... Success. Registering netshell.dll... Success. Registering ntmsevt.dll... Success. Registering ntmsmgr.dll... Success. Registering ntmssvc.dll... Success. Registering occache.dll... Success. Registering ole.dll... Success. Registering oleaut.dll... Success. Registering oleacc.dll... Success. Registering olepro.dll... Success. Registering photowiz.dll... Success. Registering pngfilt.dll... Success. Registering remotepg.dll... Success. Registering rpcrt.dll... Success. Registering rshx.dll... Success. Registering sendmail.dll... Success. Registering slayerxp.dll... Success. Registering shdocvw.dll... Success. Registering shsvcs.dll... Success. Registering srclient.dll... Success. Registering stobject.dll... Success. Registering themeui.dll... Success. Registering twext.dll... Success. Registering urlmon.dll... Success. Registering userenv.dll... Success. Registering webcheck.dll... Success. Registering webvw.dll... Success. Registering winhttp.dll... Success. Registering wininet.dll... Success. Registering zipfldr.dll... Success. Registering msdadc.dll... Success. Registering nsdaenum.dll... Success. Registering msdaer.dll... Success. Registering msdaipp.dll... Success. Registering msdaora.dll... Success. Registering msdaosp.dll... Success. Registering msdaps.dll... Success. Registering msdasc.dll... Success. Registering msdasql.dll... Success. Registering msdatt.dll... Success. Registering msdaurl.dll... Success. Registering msdmeng.dll... Success. Registering msdmine.dll... Success. Registering msjtor.dll... Success. Registering msmdbc.dll... Success. Registering msmdgd.dll... Success. Registering msolap.dll... Success. Registering msolui.dll... Success. Registering msxactps.dll... Success. Registering oledb.dll... Success. Registering oledbr.dll... Success. Registering sqloledb.dll... Success. Registering sqlxmlx.dll... Success. Writing to registry: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonShell"... Successful. Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\GeneralTab"... Key/Value does not exist. Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\ProgramsTab"... Key/Value does not exist. Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\SecurityTab"... Key/Value does not exist. Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\ContentTab"... Key/Value does not exist. Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\PrivacyTab"... Key/Value does not exist. Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\AdvancedTab"... Key/Value does not exist. Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\ConnectionsTab"... Key/Value does not exist. Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\GeneralTab"... Key/Value does not exist. Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\ProgramsTab"... Key/Value does not exist. Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\SecurityTab"... Key/Value does not exist. Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\ContentTab"... Key/Value does not exist. Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\PrivacyTab"... Key/Value does not exist. Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\AdvancedTab"... Key/Value does not exist. Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\ConnectionsTab"... Key/Value does not exist. Killing Explorer shell... Done. Restarting Explorer shell... Done. ============ Explorer Shell Repair Complete ============

Here you go. still get the error. Perms2 .txt

Here you go. export.txt export2.txt

I did everything listed above and when I restarted I get the same error? The only way I can get the group policy error to not show is in safe mode.

I killed all the process and the services. TO my knowlede all spot bot stuff was shut down. I do not see any app ctrl policies or software restriction policies. I have attached screen shots.