Jump to content

Recommended Posts

Howdy, I will be very grateful for any help. Thank you.

I suspect I have MalWare, but I don't know.

The computer has several users, all of which I created. Some users have been created just to help me with my problem.

Symptoms as user RS, with Administrator permissions :

1 - Unable to start any program that is not part of Windows Vista OS, including Command Line Prompt.

Error Message : Windows cannot access the specified device, path, or file. You may not the appropriate permissions to access the item.

2 - Unable to change switch off Hide Known Filename Extensions in the Folder Options and Search. Whenever I uncheck the option and Apply, it resets to being checked.

What I have done as user Pip, without Admin permissions :

1 - Downloaded. MalWareBytes, and run. Software detected 1 infected file, and had it deleted. It was late at night, and I did not note the name of the file.

2 - Updated AVG Anti Virus, and run. AVG complained about some Yahoo Messenger files having trojans. I deleted Yahoo Messenger, including the directory.

3 - Created some more users with Admin permissions. All was initially well by using new user MT. After about a day, however, user MT could no longer run programs, with the same error message returned as original user RS. The implication seems to be that user MT became infected. I expect the same to happen to user Pip soon.

What I have been unable to try as infected user RS :

1 - I can't run dds (read about it in this forum) because I can't start a program.

2 - I can't run regedit because I can't start a program. (While logged in as Pip, I read that some virus can make regedit changes that need to be corrected.)

Does anyone have experience with this situation ? Thank you.

Stark

Link to post
Share on other sites

Hello Heli-Stark and welcome to MalwareBytes forums.

Please select 1 administrator-rights account and login with that account. Please stop creating any new accounts.

Let's get going with the following so we can get a diagnostic report.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.


Link 2
Link 3
Link 4
Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7, right-click on it and Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

IF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

Step 2

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Step 3

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT by doing a Right-Click on it & select Run As Admisnistrator

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 4

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Step 5

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

  1. Close any/all open internet browsers. Save any open documents you have open & close programs you started.
  2. Click on START>All Programs>Malwarebytes' Anti-Malware>Tools>Malwarebytes Anti-Malware Chameleon
    On Windows 7, press Windows-key, then start typing in text box
Malwarebytes[code] then select/click [b]Malwarebytes Anti-Malware Chameleon[/b]
Once the Help file opens, click on a [b]Chameleon[/b] button (starting with #1)
If running on Vista, Windows 7, press the Yes button when prompted at the UAC prompt to allow to run.
You should see a black Command-prompt-window that remains open and says [b]MBAM-chameleon ver. 1.6[/b] at the top
Press any key to continue as it says in the window {space-bar will do}
If the Chameleon button you tried does not work, try the next Chameleon button shown. (There are 12 in all).
Have infinite patience during this process
Malwarebytes Chameleon will proceed to update Malwarebytes Anti-Malware, so ensure that you are connected to the internet if possible
Once the update completes and it says your database is updated, click on [b]OK[/b] button so that process can continue :excl:
Malwarebytes Chameleon will then terminate any threats running in memory, which may take a while, so please be patient.
After that, Malwarebytes Anti-Malware will open automatically and perform a Quick scan
A quick scan will take a few minutes, possibly 5 or so minutes. Have infinite patience.
Once the scan is complete, click on [b]Show Results[/b] and remove any threats that are found by clicking [b]Remove Selected[/b]
If prompted to restart your computer to complete the removal process, click [b]Yes[/b] :excl:
If no threats are found, press OK button & press EXIT to end MBAM. Press the space-bar (or another key) to exit the command-prompt-window.
After your computer restarts, open [b]Malwarebytes Anti-Malware[/b] and perform one last Quick scan to verify that there are no remaining threats

Reply with copy of the MBAM scan log for review.

[color=blue]Step 6 [/color]

Download DDS and save it to your desktop from http://download.blee...om/sUBs/dds.scr here

or http://download.blee...om/sUBs/dds.com or

http://www.infospyware.net/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click [color=blue]dds.scr [/color]to run the tool.

DDS will run in a command prompt window and will take 3 to 4 minutes or so.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • [b]Save[/b] both reports to your desktop.

Please Copy & Paste contents of the following logs in your next reply:

[b]DDS.txt

Attach.txt[/b]

[b]Re-enable your antivirus program.[/b]

Edited by Maurice Naggar
Link to post
Share on other sites

Thank you very, very much for your programme.

I am trying to print the instructions so that I can follow the programme from the infected account. I'm not successful to work out how to print from this forum yet. Is there a method ?

When I click the Printer icon at the bottom of the page, it just refreshes the page.

Thank you.

Stark

Link to post
Share on other sites

You can select the Text you want to copy on the forum page and then Copy and then Paste into a NOTEPAD file and then save it. and use that for a reference.

Please get going.

And do NOT use the system to do any websurfing, or banking, or online transactions.

Only go to this forum and the websites I guide you to.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Hello.

Thank you for your continued help. Even if I don't get as much time to work upon this I would like, I want you to know that your help is invaluable, and very much appreciated.

I had to create a new Admin user, named 'T1'.

As T1, I downloaded the various files, and ran the products.

Malwarebytes found and deleted :

Trojan.FakeMS

RKILL terminated the following processes :

WLTRYSVC.EXE

bcmwltry.exe

WLTRAY.EXE

After running Malwarebytes Chameleon, and Malwarebytes Scan again, RKILL did not detect subsequent malevolent processes.

Spyware Doctor deleted some minor threat files.

AVG, run after Spyware Doctor, did not detect any threats.

Today, the system does seem to be faster, buy when I try to use original Admin account 'RS' (my initials), I am still unable to start any non-OS programs because of lack of permission.

For that reason, I logged out of RS, and back into T1, then ran RKILL and DDS again. The same 3 processes were detected again. Please see RKILL and DDS reports at end of this post.

Stark

Rkill 2.3.15 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2012 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/16/2012 07:45:42 PM in x86 mode.

Windows Version: Windows Vista Home Premium Service Pack 2

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Windows\System32\WLTRYSVC.EXE (PID: 1960) [WD-HEUR]

* C:\Windows\System32\bcmwltry.exe (PID: 1976) [WD-HEUR]

* C:\Windows\System32\WLTRAY.EXE (PID: 2824) [WD-HEUR]

3 proccesses terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Program finished at: 09/16/2012 07:46:23 PM

Execution time: 0 hours(s), 0 minute(s), and 41 seconds(s)

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by T1 at 19:54:50 on 2012-09-16

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.569 [GMT -4:00]

.

AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}

SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: PC Tools Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\aestsrv.exe

C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Windows\system32\STacSV.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Windows\OEM02Mon.exe

C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe

C:\Program Files\Dell\MediaDirect\PCMService.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\Program Files\CyberLink\Shared Files\brs.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Opera\opera.exe

C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Spyware Doctor\pctsGui.exe

C:\Program Files\Corel\Corel Paint Shop Pro Photo XI\Corel Paint Shop Pro Photo.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Windows\System32\notepad.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.google.com/

uWindow Title = Internet Explorer provided by Dell

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5071020

uSearch Bar = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.391.0\BingExt.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\7.1.391.0\BingExt.dll"

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe

uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [ECenter] c:\dell\e-center\EULALauncher.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [<NO NAME>]

mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"

mRun: [dscactivate] c:\dell\dsca.exe 3

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_04\bin\jusched.exe"

mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"

mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"

mRun: [bDRegion] c:\program files\cyberlink\shared files\brs.exe

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"

mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"

mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini"

mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe

mRun: [iSTray] "c:\program files\spyware doctor\pctsGui.exe" /hideGUI

StartupFolder: c:\users\t1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

TCP: DhcpNameServer = 97.64.209.36 97.64.168.13

TCP: Interfaces\{A7B00A97-0774-44E3-8111-E59CDDEFA6F2} : DhcpNameServer = 97.64.180.150 97.64.187.153

TCP: Interfaces\{E54C254C-8AC2-469B-933B-AFD67C276786} : DhcpNameServer = 97.64.209.36 97.64.168.13

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

AppInit_DLLs: AVGRSSTX.DLL c:\progra~1\google\google~2\GOEC62~1.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-19 383368]

R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-9-16 342168]

R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-9-16 909728]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-19 335240]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-19 27784]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-19 108552]

R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2012-9-16 203120]

R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-2-1 41456]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-9-2 22856]

R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [2012-9-16 70768]

.

=============== Created Last 30 ================

.

2012-09-16 18:38:43 -------- d-----w- c:\users\t1\appdata\local\{2650082B-98C1-4171-92EB-3015786672CE}

2012-09-16 17:29:01 -------- d-----w- c:\users\t1\appdata\local\{F2ABCDF8-B29E-4C09-BF86-BAE534279E0B}

2012-09-16 08:09:09 -------- d-----w- c:\windows\RegistryBackup

2012-09-16 08:03:05 -------- d-----w- C:\Anti Virus Programs

2012-09-16 07:54:46 -------- d-----w- c:\users\t1\appdata\local\Adobe

2012-09-16 05:08:21 70768 ----a-w- c:\windows\system32\drivers\PCTBD.sys

2012-09-16 05:07:50 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys

2012-09-16 05:07:50 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys

2012-09-16 05:07:10 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys

2012-09-16 05:07:10 17880 ----a-w- c:\windows\system32\drivers\pctBTFix.sys

2012-09-16 04:51:08 -------- d-----w- c:\users\t1\appdata\roaming\TestApp

2012-09-16 04:24:30 -------- d-----w- c:\users\t1\appdata\local\SupportSoft

2012-09-16 04:03:45 -------- d-----w- c:\users\t1\appdata\local\{7C0C458E-BDA8-4B66-87C1-1C85EED734CB}

2012-09-16 04:03:17 -------- d-----w- c:\users\t1\Tracing

2012-09-16 00:39:21 -------- d-----w- c:\users\t1\appdata\roaming\Malwarebytes

2012-09-15 21:34:44 -------- d-----w- c:\users\t1\appdata\local\Opera

2012-09-15 21:24:13 -------- d-----w- c:\users\t1\appdata\local\Scansoft

2012-09-15 21:24:13 -------- d-----w- c:\users\t1\appdata\local\Google

2012-09-15 21:24:09 -------- d-----w- c:\users\t1\appdata\local\MediaDirect

2012-09-15 06:35:36 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{90ada83c-c8ef-4fe6-b4af-557ca3a7753b}\offreg.dll

2012-09-14 14:42:07 7022536 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{90ada83c-c8ef-4fe6-b4af-557ca3a7753b}\mpengine.dll

2012-09-02 08:53:57 -------- d-----w- c:\programdata\Malwarebytes

2012-09-02 08:53:56 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-02 08:53:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-08-31 04:51:28 -------- d-sh--w- C:\found.007

2012-08-29 07:04:19 -------- d-----r- c:\program files\Skype

.

==================== Find3M ====================

.

2012-08-31 06:41:48 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-31 06:41:48 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-04 14:02:46 2047488 ----a-w- c:\windows\system32\win32k.sys

2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-29 00:08:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-22 19:35:16 70568 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2012-06-22 19:29:42 107896 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys

2012-06-22 19:29:36 254944 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2012-06-22 15:39:02 149464 ----a-w- c:\windows\SGDetectionTool.dll

2012-06-22 15:39:00 2267096 ----a-w- c:\windows\PCTBDCore.dll

2012-06-22 15:39:00 1689560 ----a-w- c:\windows\PCTBDRes.dll

2012-06-22 15:38:38 767960 ----a-w- c:\windows\BDTSupport.dll

.

============= FINISH: 19:58:56.79 ===============

I didn't include the Attach.txt file because I don't know how to Zip a file. If it is required then I will research how to Zip a file.

Stark

Link to post
Share on other sites

Hello Stark,

As long as account T1 is an administrator-level-rights account, stick with it and keep logged in with it.

As long as we can rule out malwares (until then), my guess at this time is that there are permissions issues of an obscure nature for your other accounts.

As to Attach.txt --- I do not want it zipped (disregard the notation about zip). Just Copy and Paste it into main-body of a new reply.

Now, if you did not buy Pc Tools Spyware Doctor, then uninstall it and then restart the system.

After a fresh start of Vista, and while logged in with the T1 admin account, do the following scan with Combofix as outlined.

Step 1

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Step 2

These steps are for member HemiChrysler only. If you are a casual viewer, do NOT try this on your system!

If you are not HemiChrysler and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

If you have a prior copy of Combofix, delete it now :excl:

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop cf-icon.jpg and select "Run as Administrator".

  • A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.

Notes:

[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh :excl:

Reply & Copy & Paste contents of the C:\Combofix.txt log

Re-enable your antivirus program.

Next

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Edited by Maurice Naggar
Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Hello Mr Naggar.

Thank for your patience. I'm busy (24 hour towing, recovery, roadside assistance), but I'm not ungrateful. Thank you so much.

ComboFix report :

---------------------

ComboFix 12-09-29.01 - T1 09/30/2012 6:59.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.870 [GMT -4:00]

Running from: c:\users\T1\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}

SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}

SP: PC Tools Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2012-08-28 to 2012-09-30 )))))))))))))))))))))))))))))))

.

.

2012-09-30 11:33 . 2012-09-30 11:33 -------- d-----w- c:\users\RS\AppData\Local\temp

2012-09-30 11:32 . 2012-09-30 11:32 -------- d-----w- c:\users\Pip\AppData\Local\temp

2012-09-30 11:32 . 2012-09-30 11:32 -------- d-----w- c:\users\MET-TECH\AppData\Local\temp

2012-09-30 11:32 . 2012-09-30 11:32 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-09-30 10:15 . 2012-09-30 10:15 -------- d-----w- c:\program files\ComboFix

2012-09-30 05:50 . 2012-09-30 05:50 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BE3F96E5-A08F-4F92-93AC-D9EEC82E1E30}\offreg.dll

2012-09-28 14:55 . 2012-08-30 08:17 6980552 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BE3F96E5-A08F-4F92-93AC-D9EEC82E1E30}\mpengine.dll

2012-09-23 07:03 . 2012-08-24 06:43 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-09-23 07:03 . 2012-08-24 07:34 140936 ----a-w- c:\program files\Internet Explorer\sqmapi.dll

2012-09-23 07:03 . 2012-08-24 06:47 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-09-23 07:03 . 2012-08-24 06:48 194048 ----a-w- c:\program files\Internet Explorer\IEShims.dll

2012-09-23 07:03 . 2012-08-24 06:47 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-09-23 07:03 . 2012-08-24 06:49 194560 ----a-w- c:\program files\Internet Explorer\ieproxy.dll

2012-09-23 07:03 . 2012-08-24 06:51 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-09-23 07:02 . 2012-08-24 07:34 748680 ----a-w- c:\program files\Internet Explorer\iexplore.exe

2012-09-23 07:02 . 2012-08-24 06:59 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-09-23 07:02 . 2012-08-24 06:52 387584 ----a-w- c:\program files\Internet Explorer\jsdbgui.dll

2012-09-23 07:02 . 2012-08-24 06:53 678912 ----a-w- c:\program files\Internet Explorer\iedvtool.dll

2012-09-23 07:02 . 2012-08-24 06:51 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-09-16 08:09 . 2012-09-16 08:09 -------- d-----w- c:\windows\RegistryBackup

2012-09-16 08:07 . 2012-09-16 08:08 -------- d-----w- c:\program files\ERUNT

2012-09-16 08:03 . 2012-09-16 20:07 -------- d-----w- C:\Anti Virus Programs

2012-09-16 05:08 . 2012-06-22 15:39 70768 ----a-w- c:\windows\system32\drivers\PCTBD.sys

2012-09-16 05:07 . 2012-02-28 15:43 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys

2012-09-16 05:07 . 2012-02-28 15:43 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys

2012-09-16 05:07 . 2012-06-22 19:34 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys

2012-09-16 05:07 . 2012-06-22 19:33 17880 ----a-w- c:\windows\system32\drivers\pctBTFix.sys

2012-09-16 04:17 . 2012-09-16 04:20 -------- d-----w- c:\users\T2

2012-09-15 21:23 . 2012-09-16 04:03 -------- d-----w- c:\users\T1

2012-09-06 01:58 . 2012-09-06 01:58 -------- d-----w- c:\users\Pip\AppData\Roaming\vlc

2012-09-03 16:21 . 2012-09-15 20:05 -------- d-----w- c:\users\Pip\AppData\Roaming\OpenOffice.org2

2012-09-03 01:26 . 2012-09-11 18:01 -------- d-----w- c:\users\Pip\Tracing

2012-09-02 08:55 . 2012-09-02 08:55 -------- d-----w- c:\users\Pip\AppData\Roaming\Malwarebytes

2012-09-02 08:54 . 2012-09-02 08:54 -------- d-----w- c:\users\MET-TECH\AppData\Roaming\Malwarebytes

2012-09-02 08:53 . 2012-09-02 08:53 -------- d-----w- c:\programdata\Malwarebytes

2012-09-02 08:53 . 2012-09-16 00:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-09-02 08:53 . 2012-09-07 21:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-02 08:52 . 2012-09-02 08:52 -------- d-----w- c:\users\Pip\AppData\Local\Adobe

2012-09-02 08:20 . 2012-09-02 08:20 -------- d-----w- c:\users\Pip\AppData\Local\SupportSoft

2012-09-02 08:19 . 2012-09-02 08:19 -------- d-----w- c:\users\Pip\AppData\Local\Opera

2012-09-01 07:46 . 2012-09-01 07:46 -------- d-----w- c:\users\MET-TECH\AppData\Roaming\Winamp

2012-08-31 16:30 . 2012-08-31 16:30 -------- d-----r- c:\users\MET-TECH\AppData\Roaming\Brother

2012-08-31 16:19 . 2012-08-31 16:19 -------- d-----w- c:\users\MET-TECH\AppData\Roaming\ScanSoft

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-31 06:41 . 2012-07-24 17:45 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-31 06:41 . 2012-07-24 17:45 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-04 14:02 . 2012-08-16 07:01 2047488 ----a-w- c:\windows\system32\win32k.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-18 159744]

"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-29 36864]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]

"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]

"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-20 30192]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2011-10-19 2042208]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-13 144784]

"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 83240]

"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]

"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-03-21 91432]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-28 405504]

"ISTray"="c:\program files\Spyware Doctor\pctsGui.exe" [2012-06-22 2673624]

.

c:\users\T1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-19 50688]

QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

.

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [x]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - PCTSDInjDriver32

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-30 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-24 06:41]

.

2012-09-29 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-05 05:19]

.

2012-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-31 06:42]

.

2012-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-31 06:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

TCP: DhcpNameServer = 97.64.209.36 97.64.168.13

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-CX4300_5500_DX4400 manual - c:\program files\EPSON\TPMANUAL\CX4300_5500_DX4400\ENG\USE_G\DOCUNINS.EXE

AddRemove-Digital Media Converter_is1 - c:\program files\Deskshare\Digital Media Converter\unins000.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-09-30 07:34

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(7124)

c:\program files\Spyware Doctor\pctgmhk.dll

.

Completion time: 2012-09-30 07:41:23

ComboFix-quarantined-files.txt 2012-09-30 11:41

.

Pre-Run: 47,296,458,752 bytes free

Post-Run: 48,657,698,816 bytes free

.

- - End Of File - - A16E3053665941E8BDE644949B44BE80

SecurityCheck report :

----------------------------

Results of screen317's Security Check version 0.99.51

Windows Vista Service Pack 2 x86 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

AVG Anti-Virus Free

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

PC Tools Spyware Doctor 9.0

Malwarebytes Anti-Malware version 1.65.0.1400

Java SE Runtime Environment 6

Java 6 Update 4

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date!

Adobe Flash Player 11.4.402.265

Adobe Reader 8 Adobe Reader out of Date!

Google Chrome 20.0.1132.57

Google Chrome 21.0.1180.89

Google Chrome 22.0.1229.79

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

SecurityCheck SecurityCheck.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1 %

````````````````````End of Log``````````````````````

Do you think it's a strange permissions issue, and never was a MalWare infection ?

Stark

Link to post
Share on other sites

I could not tell if permissions was or is an issue. No telling.

You need to check with AVG support. Looks like you are running an ancient version of AVG antivirus.

There's 2 old version of Java runtime that needs to be Uninstalled:

Java SE Runtime Environment 6

Java 6 Update 4

Older versions of Java pose a security risk.

And if you do not need Java for the programs that you use, keep Java off your system . There is a security concern about the newest versions as well.

See http://seclists.org/bugtraq/2012/Sep/109

and https://www.networkworld.com/community/blog/time-disable-java-again-1-billion-risk-newest-critical-java-bug

Also, Uninstall

Adobe Flash Player 10

Adobe Flash Player 11.4.402.265

To de-install Flash Player

Use Programs and Features (Windows 7 & Vista) or Add-or-Remove Programs (Windows XP) to de-install older versions of Flash Player.

For stubborn cases,

Download and save the Flash Player uninstaller >> uninstall Flash Player for 32-bit Windows<<

If you have Windows 64-bit, use this Flash Player uninstaller >> uninstall Flash Player for 64-bit Windows<<

Close all browsers and instant messenger (IM) programs.

Run the uninstaller.

To get latest Flash Player

Go to http://www.adobe.com/go/getflash

and get the latest Flash Player

Un-Check any checkbox for Google Chrome, or McAfee Security Scan Plus, or any other widget or toolbar or add-on!!!

Reference: How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system

http://support.microsoft.com/kb/827218

Adobe Reader

Older versions of Adobe Reader pose a potential security risk.

De-install your Adobe Reader: Use Control Panel's Program and Features, Un-install Adobe Reader.

Get latest Adobe Reader version

http://get.adobe.com/reader/

Be sure to un-check the box for Free McAfee Security Scan or any "toolbar" (if offered )

Combofix run found no malwares.

If you are able to run your programs ok, then we can proceed to cleanups. Let me know :excl:

I can appreciate that you stay busy. But please, do not let 3 full days going by without some kind of response.

I stay plenty busy myself helping many people.

I usually close topics after 4 days without a response.

Link to post
Share on other sites

Absolutely was not implying that you're not busy. I can see you are exceptionally busy with this forum ! Thank you.

I just uninstalled :

old Flash player

old Adobe Reader

old Java stuff

I re-installed :

Flash

Adobe Reader

Tomorrow I will try original user RS again, to check whether I can run non-Vista software.

Stark

Link to post
Share on other sites

Alas, it didn't make a difference to original account 'RS'. I still can't run software for lack of permissions.

Thank you very much for helping me. I now don't think it is a MalWare problem.

I think you're right that it is a strange permission issue. That's the avenue of investigation that I will follow.

Thank you.

Link to post
Share on other sites

Please do this at the next opportunity (hopefully very soon) :

Please download ExeFix.reg by farbar and save it to a flashdrive or on the root of the system drive (usually C:).


  • Important: Boot your computer into the account that has trouble running exe files.
  • Right-click it and select Merge.

Now, restart the system fresh.

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Do NOT press any Fix button.
  • Exit/Close RogueKiller

Link to post
Share on other sites

Hello,

Are you still with me? Or have you resolved your issue?

If I do not hear back from you soon, I will close this thread.

It has been 6 days since my last reply. If you wish for me to confinue helping, can you make a commitment to at least do some part each day, even if it is just 1 task?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.