Security Shield Rogue AV prevents apps from running

[astro3ron]

Security Shield Rogue AV keeps applications from running. IE comes up and then terminates, Quick Launch apps don't come up. Symantec AV Corp ed 10 crashes, Can't do a file search from Windows explorer window. Symantec AV found numerous files infested, SEP deleted them or quaranteened them. Ran MBAM and it found a dozen infected files. Then ran DDS.scr and the resulting files are attached. Security Shield does not pop up anymore, but many application won't run.

There are two sets of DDS files, one from the infected account (xxx-Pauls) and one set created in safe mode from the admin account (xxx-SafeModeAdmin). The "Pauls" account has admin privs and was the account where the infection started.

attach-Pauls.txt

dds-Pauls.txt

attach-SafeModeAdmin.txt

dds-SafeModeAdmin.txt

[MrCharlie]

Welcome to the forum.

Please remove any usb or external drives from the computer before you run these scan!

Please download and run RogueKiller.

Click Scan to scan the system (don't run any other options)

Post back the report.

MrC

[astro3ron]

Here's the results from RogueKiller:

RogueKiller V7.0.3 [02/06/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: student [Admin rights]

Mode: Scan -- Date : 02/06/2012 15:02:07

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤

[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{F3576CCF-0E2A-4CE8-88C8-D7B836D544ED} : NameServer (66.254.66.99,66.254.66.98) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{F3576CCF-0E2A-4CE8-88C8-D7B836D544ED} : NameServer (66.254.66.99,66.254.66.98) -> FOUND

[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND

[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3802110A +++++

--- User ---

[MBR] 1f0bed8f0013c71fe0c38da8a5d23390

[bSP] dfe4c0bfa859120fb83a6a1aa43abcee : MBR Code unknown

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 31 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 64260 | Size: 53976 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 110607525 | Size: 19053 Mo

3 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 149629410 | Size: 3223 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

One thing that's interesting is the inability to start up apps from Start/ any apps listed or to start any apps from the Start/All Programs. If I right mouse on icon and select Open, I can start the application. Any idea where the click to start pgm option has been turn off?

[MrCharlie]

Download and run rkill:

http://download.blee...inler/rkill.com

Now see if you can run ComboFix:

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

[astro3ron]

Rkill log:

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 02/08/2012 at 9:54:42.

Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\grpconv.exe

Rkill completed on 02/08/2012 at 9:54:51.

-------------------------

Combofix.txt

ComboFix 12-02-08.02 - student 02/08/2012 10:02:12.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.431 [GMT -8:00]

Running from: c:\documents and settings\student\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\admin1\Application Data\PriceGong

c:\documents and settings\admin1\Application Data\PriceGong\Data\1.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\2229.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\a.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\b.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\c.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\d.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\e.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\f.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\g.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\h.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\i.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\j.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\k.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\l.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\m.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\admin1\Application Data\PriceGong\Data\n.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\o.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\p.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\q.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\r.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\s.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\t.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\u.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\v.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\w.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\wlu.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\x.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\y.txt

c:\documents and settings\admin1\Application Data\PriceGong\Data\z.txt

c:\documents and settings\Alt-User\Application Data\PriceGong

c:\documents and settings\Alt-User\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\student\Application Data\inst.exe

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome.manifest

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\bar.js

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\bar.xul

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\buttons.js

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\constants.js

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\events.js

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\globals.js

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\htmldialog.js

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\htmldialog.xul

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\htmldropdown.xul

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\init.js

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_images.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_maps.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_news.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_videos.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_web.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_amazon.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_ebay.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_facebook.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_games.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_msn.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_shopping.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_travel.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_twitter.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\startnow_logo.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\installer.xml

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\index.html

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\NotIE6.css

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\OnlyIE6.css

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\SearchProtectIcon.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\Web.config

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\window.css

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\window.js

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\index.html

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\LeftImage.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\NotIE6.css

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\OnlyIE6.css

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\window.css

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\window.js

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\chevron_button.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_button_hover.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_button_normal.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_dropdown_button_normal.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_input_background.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_input_left.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_input_middle.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\separator.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\splitter.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ff_hover_c.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_hover_c.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_hover_l.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_hover_r.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_normal_c.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_normal_l.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_normal_r.png

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\toolbar.xml

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\locale\en-US\{5911488E-9D1E-40ec-8CBB-06B231CC153F}.dtd

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\skin\overlay.css

c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\install.rdf

c:\documents and settings\student\Application Data\PriceGong

c:\documents and settings\student\Application Data\PriceGong\Data\1.txt

c:\documents and settings\student\Application Data\PriceGong\Data\2229.txt

c:\documents and settings\student\Application Data\PriceGong\Data\371.txt

c:\documents and settings\student\Application Data\PriceGong\Data\450.txt

c:\documents and settings\student\Application Data\PriceGong\Data\a.txt

c:\documents and settings\student\Application Data\PriceGong\Data\b.txt

c:\documents and settings\student\Application Data\PriceGong\Data\c.txt

c:\documents and settings\student\Application Data\PriceGong\Data\d.txt

c:\documents and settings\student\Application Data\PriceGong\Data\e.txt

c:\documents and settings\student\Application Data\PriceGong\Data\f.txt

c:\documents and settings\student\Application Data\PriceGong\Data\g.txt

c:\documents and settings\student\Application Data\PriceGong\Data\h.txt

c:\documents and settings\student\Application Data\PriceGong\Data\i.txt

c:\documents and settings\student\Application Data\PriceGong\Data\j.txt

c:\documents and settings\student\Application Data\PriceGong\Data\k.txt

c:\documents and settings\student\Application Data\PriceGong\Data\l.txt

c:\documents and settings\student\Application Data\PriceGong\Data\m.txt

c:\documents and settings\student\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\student\Application Data\PriceGong\Data\n.txt

c:\documents and settings\student\Application Data\PriceGong\Data\o.txt

c:\documents and settings\student\Application Data\PriceGong\Data\p.txt

c:\documents and settings\student\Application Data\PriceGong\Data\q.txt

c:\documents and settings\student\Application Data\PriceGong\Data\r.txt

c:\documents and settings\student\Application Data\PriceGong\Data\s.txt

c:\documents and settings\student\Application Data\PriceGong\Data\t.txt

c:\documents and settings\student\Application Data\PriceGong\Data\u.txt

c:\documents and settings\student\Application Data\PriceGong\Data\v.txt

c:\documents and settings\student\Application Data\PriceGong\Data\w.txt

c:\documents and settings\student\Application Data\PriceGong\Data\wlu.txt

c:\documents and settings\student\Application Data\PriceGong\Data\x.txt

c:\documents and settings\student\Application Data\PriceGong\Data\y.txt

c:\documents and settings\student\Application Data\PriceGong\Data\z.txt

c:\documents and settings\student\Recent\Thumbs.db

c:\documents and settings\student\WINDOWS

C:\Install.exe

c:\program files\RadioPI_4eEI

c:\windows\iun6002.exe

c:\windows\system32\default_user_class.dat.LOG

.

.

((((((((((((((((((((((((( Files Created from 2012-01-08 to 2012-02-08 )))))))))))))))))))))))))))))))

.

.

2012-02-06 23:27 . 2012-02-06 23:27 -------- d--h--w- c:\windows\system32\GroupPolicy

2012-02-06 18:13 . 2012-02-06 18:13 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll

2012-02-06 18:13 . 2012-02-06 18:13 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll

2012-02-06 18:13 . 2012-02-06 18:13 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll

2012-02-06 18:13 . 2012-02-06 18:13 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll

2012-02-05 04:41 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys

2012-02-05 04:40 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys

2012-02-05 04:40 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys

2012-02-05 04:33 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys

2012-02-05 04:33 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe

2012-02-05 04:32 . 2011-02-08 13:33 978944 ------w- c:\windows\system32\dllcache\mfc42.dll

2012-02-05 04:32 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll

2012-02-05 04:32 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll

2012-02-05 04:30 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

2012-02-04 22:33 . 1998-02-15 11:21 545 ----a-w- c:\windows\TXTPAD.PIF

2012-02-04 22:00 . 2012-02-04 22:01 -------- d-----w- c:\documents and settings\Alt-User

2012-02-04 21:23 . 2012-02-04 21:23 -------- d-----w- c:\documents and settings\student\Application Data\Malwarebytes

2012-02-04 20:28 . 2012-02-04 20:28 -------- d-----w- c:\documents and settings\admin1\Local Settings\Application Data\iBryte

2012-02-04 19:42 . 2012-02-04 19:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2012-02-04 19:41 . 2012-02-04 19:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec

2012-02-04 19:35 . 2012-02-04 19:35 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2012-02-04 16:18 . 2012-02-04 16:18 -------- d-----w- c:\documents and settings\admin1\Application Data\Malwarebytes

2012-02-04 16:18 . 2012-02-04 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-02-04 16:18 . 2012-02-04 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-02-04 16:18 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-02-04 02:30 . 2012-02-04 02:30 -------- d-----w- c:\documents and settings\admin1\Local Settings\Application Data\Temp

2012-02-04 02:30 . 2012-02-04 02:30 -------- d-----w- c:\documents and settings\admin1\Local Settings\Application Data\Adobe

2012-02-01 23:52 . 2012-02-01 23:54 -------- d-----w- c:\program files\AbiWord

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-25 21:57 . 2004-08-11 22:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-11-23 13:25 . 2004-08-11 22:00 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-18 12:35 . 2004-08-11 22:00 60416 ----a-w- c:\windows\system32\packager.exe

2011-11-16 14:21 . 2004-08-11 22:00 354816 ----a-w- c:\windows\system32\winhttp.dll

2011-11-16 14:21 . 2004-08-11 22:00 152064 ----a-w- c:\windows\system32\schannel.dll

2012-02-06 18:13 . 2011-08-04 00:20 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Nero PhotoShow Media Manager"="c:\progra~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" [2006-05-10 249856]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-29 32768]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

.

c:\documents and settings\student\Start Menu\Programs\Startup\

Picture Motion Browser Media Check Tool.lnk - [N/A]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - [N/A]

Microsoft Office.lnk - [N/A]

Office Startup.lnk - [N/A]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]

2006-08-21 16:40 61440 ----a-w- c:\dell\bldbubg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-02-16 17:54 282624 ----a-w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

.

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/4/2012 8:18 AM 652360]

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/5/2012 8:35 PM 106104]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/4/2012 8:18 AM 20464]

R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [9/13/2011 12:42 PM 47360]

S3 EraserUtilDrv10910;EraserUtilDrv10910;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [?]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - uphcleanhlp

.

Contents of the 'Scheduled Tasks' folder

.

2012-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 22:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html

IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

TCP: Interfaces\{F3576CCF-0E2A-4CE8-88C8-D7B836D544ED}: NameServer = 66.254.66.99,66.254.66.98

FF - ProfilePath - c:\documents and settings\student\Application Data\Mozilla\Firefox\Profiles\78019lp8.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

.

.

------- File Associations -------

.

.txt=TextPad.txt

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd} - (no file)

Toolbar-{b278d9f8-0fa9-465e-9938-0c392605d8e3} - (no file)

Toolbar-Locked - (no file)

HKLM-Run-MimBoot - c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe

MSConfigStartUp-StartNowToolbarHelper - c:\program files\StartNow Toolbar\ToolbarHelper.exe

AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\uninstall_activeX.exe

AddRemove-Dell Digital Jukebox Driver - c:\program files\Dell\Digital Jukebox Drivers\DrvUnins.exe

AddRemove-Easy CD-DA Extractor 7.0 - c:\windows\iun6002.exe

AddRemove-PriceGong - c:\program files\PriceGong\uninst.exe

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-02-08 10:11

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1128)

c:\windows\system32\msxml3.dll

c:\windows\system32\igfxdev.dll

.

Completion time: 2012-02-08 10:15:19

ComboFix-quarantined-files.txt 2012-02-08 18:15

.

Pre-Run: 11,400,171,520 bytes free

Post-Run: 11,422,990,336 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - E2B5FF314704A910D5BC2DA5CC6CF316

[MrCharlie]

Please Update and run a Quick Scan with MBAM, post the report.

Please let me know how it is, MrC

[astro3ron]

Will do the quick scan this afternoon. After the Rkill and Combofix, the problem still exists with not being able to double click on an icon and getting the application to run. What registry items would keep the double click function from working?

[MrCharlie]

Have you checked the mouse properties?

MrC

[astro3ron]

_{Yes I have, I've even tried switching left/rt mouse click functions and still the same problem. So it's not the mouse. Quick launch functions do NOT work with single click. Short cuts on the desktop or anywhere else do NOT work. Something has been changed registry wise, but don't know where to look for setting. As mentioned before, I'm unabile to start up apps from Start/ any apps listed or to start any apps from the Start/All Programs with a left mouse click. If I right mouse on icon and select Open, I can start the application.}

[MrCharlie]

This type of infection (Security Shield)

is not associated with that particular problem

Please update and run a full scan with MalwareBytes, post back the log, and we'll go from there, MrC

[astro3ron]

Latest log:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.11.05

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

student :: 8THGRADE [administrator]

Protection: Enabled

2/11/2012 8:24:01 AM

mbam-log-2012-02-12 (09-27-15).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 318930

Time elapsed: 3 hour(s), 41 minute(s), 18 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 2

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0

(No malicious items detected)

Files Detected: 6

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP901\A0075164.exe (Trojan.Ransom) -> No action taken.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP901\A0075169.exe (Adware.IBryte) -> No action taken.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP901\A0076910.exe (PUP.Bundle.Installer.OI) -> No action taken.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP901\A0076920.exe (Trojan.Ransom) -> No action taken.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP907\A0079082.dll (Adware.IBryte) -> No action taken.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP870\A0072778.exe (Adware.IBryte) -> No action taken.

(end)

Left these alone:

Registry Data Items Detected: 2

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

[MrCharlie]

Those are all OK for now.

Try this as an experiment....

Download Inherit.exe from the site below:

http://forums.majorg...ad.php?t=198272

Find an app that you're having trouble running

Drag the .exe file into Inherit.exe, release and wait for the OK

Now see if it runs correctly

------------------------------------------------

another tool that may work: GrantPerms

Please download GrantPerms.zip

http://download.blee.../GrantPerms.zip

Save to the Desktop.

Unzip the file (Right-click > Extract all...)

Follow the prompts

In the new folder that appears, double-click GrantPerms.exe

Copy/paste in any app that won't run and Click: Unlock

examples:

c:\\Documents and Settings\chuck\Desktop\gmer.exe

c:\\Documents and Settings\chuck\Desktop\KillBox.exe

c:\\Documents and Settings\chuck\Desktop\OTL.exe

c:\\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

Let me know, MrC

[astro3ron]

I guess I'm looking for the underlying cause of what's keeping me from running apps from the quick launch as well as some short cuts that are on the desktop.

What do these referenced exe files, Inherit and grantPerms, do exactly? What's the route from the time I click on a quick launch item to the time it runs and shows up in a window? In my case, what's missing in that path that's broken or changed? Since I didn't change the functions of the quick launch items that I know of, either some other malware, previously removed, or another installed or uninstalled apps has changed the functioning of the quick launch. I can post what Symantec AV found before we removed Security Shield as there were other virus that SAV removed.

[MrCharlie]

What do these referenced exe files, Inherit and grantPerms, do exactly?

They remove any restrictions placed on the file by malware.

When used it will remove the restriction and allow you to run the file, they both do the same thing.

---------------------

What's the route from the time I click on a quick launch item to the time it runs and shows up in a window?

It should run immediately

In my case, what's missing in that path that's broken or changed?

That I don't know, if you tried Inherit and grantPerms without any success, then I'd say it's not a permission problem.

Do you have UAC turned off?

http://windows.micro...account-control

I can post what Symantec AV found before we removed Security Shield as there were other virus that SAV removed

Post it.

MrC

[MrCharlie]

I just though of something.

Why don't you visit Microsoft Fix It center and see if anything there helps, there's a lot there.

http://support.microsoft.com/fixit/

MrC

[astro3ron]

OK, I'll give it a try. The other day when I did a SAV (Corp Ed 10.2) scan, 3 occurances of a Trojan.ADH.2 showed up in some file(s) which were repaired. SAV didn't say which file(s) had the issue. Not sure if Firefox has issues with YouTube downloads. Will try IE for a while. This PC is one in a classroom. Will let you know.

Thanks. Ron

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!