Jump to content

WinXP: Can Not Install any programs including Malwarebytes anti-malware with the file renamed


Recommended Posts

WinXP: Trying to install Defogger, DDS, Malwarebytes or any program I get this message:

Windows cannot access the specific device, path or file. You may not have the appropriate permissions to access the item.

I have tried in safe mode, with networking, and normal mode. This Friday the 13th and i just set up a new to me 15 inch LCD monitor... But can not install Malwarebytes anti-malware...

I have AVG Free anti-virus package. I had an older version of Malwarebytes anti-mailware installed, but it would not run had run errors. I removed that version of your software with add and remove, and tried to install the newer download, but no luck today on a normally lucky day...

Fred

Link to post
Share on other sites

Hi Fred, please try to run this tool (also make sure you are logged in as Administrator):

Download and run Win32kDiag:

  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

[*] Double-click Win32kDiag.exe to run Win32kDiag and let it finish.

[*] When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.

[*] Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Link to post
Share on other sites

Hi Fred, please try to run this tool (also make sure you are logged in as Administrator):

Download and run Win32kDiag:

  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

[*] Double-click Win32kDiag.exe to run Win32kDiag and let it finish.

[*] When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.

[*] Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Elise025,

Thanks for the rapid reply, but I can not install any software!

Unable to force this option, as I am always an administrator "make sure you are logged in as Administrator".

Thus: I was unable to install "Win32kDiag" in Normal mode... I will reboot into safe mode to try, and if that is successful I will return and post the logs, otherwise please understand I need a command to force install, as currently I am unable to install software...

Also I think I was able to update AVG yesterday, but the logs show it was corrupted, and the regular scheduled scan log was also corrupted, so I would guess this infection has managed to make the AVG anti-virus package a dream, rather than a working package I believed was able to protecting me...

Makes sense that malwarebytes-anti-malware would no longer run, and the now discovering the anti-virus also not running correctly...

I would guess my machine is Owned/Zombied and I am making money for a criminal...

Fred

Link to post
Share on other sites

Try to rename the file from win32kdiag.exe to random.com (right click on the download link and select Save Target As).

Long Day with safe mode: Managed a few installs, including win32kdiag.exe

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK

Run by Administrator at 11:22:44.73 on Sat 08/14/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.992.751 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Mr.Fred\Desktop\dds.com

============== Pseudo HJT Report ===============

mSearch Bar = hxxp://srch-us4.hpwis.com/

mSearchAssistant =

mCustomizeSearch =

mWinlogon: Userinit=c:\windows\system32\userinit.exe

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [s3TRAY2] S3tray2.exe

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

mRun: [LTMSG] LTMSG.exe 7

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [lxcrmon.exe] "c:\program files\lexmark 2400 series\lxcrmon.exe"

mRun: [EzPrint] "c:\program files\lexmark 2400 series\ezprint.exe"

mRun: [LXCRCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCRtime.dll,_RunDLLEntry@16

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [inCD] c:\program files\ahead\incd\InCD.exe

mRun: [trioService] "c:\windows\resources\themes\3ddolphins\scrfiles\trioService.exe "

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}

IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} - hxxp://www.refurbdepot.com/CFIDE/classes/CFJava.cab

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab

DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} - hxxp://las.mlxchange.com/Control/SISC.cab

DPF: {494b8c10-bdb5-11d1-8373-00a0c901b28c}

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174356467218

DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} - hxxp://las.mlxchange.com/Control/LiteGrid.cab

DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} - hxxp://imlive.com/chatsource/ImlCID.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath -

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-27 243024]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-27 216400]

S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-27 29584]

S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]

S2 KwinzySrch Service;KwinzySrch Service;"c:\documents and settings\all users\application data\kwinzysrch\kwinzy131.exe" "c:\program files\kwinzysrch\kwinzy.dll" service --> c:\documents and settings\all users\application data\kwinzysrch\kwinzy131.exe [?]

S2 SBAMSvc;AntiMalware;"c:\program files\ascentive\spyware striker\sbamsvc.exe" --> c:\program files\ascentive\spyware striker\SBAMSvc.exe [?]

S3 PCDRDRV;Pcdr CPU Helper Driver;c:\windows\system32\drivers\pcdrdrv.sys --> c:\windows\system32\drivers\PCDRDRV.sys [?]

S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-4-15 164864]

S3 trid3d;trid3d;c:\windows\system32\drivers\trid3dm.sys [2001-7-31 130332]

=============== Created Last 30 ================

2010-08-13 20:11:49 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-08-13 19:35:33 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll

2010-07-15 16:39:37 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-15 16:39:24 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-15 16:35:41 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll

2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys

2010-06-23 12:06:51 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-06-23 12:06:51 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys

2010-06-18 13:36:12 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe

2010-06-17 15:12:57 634656 ------w- c:\windows\system32\dllcache\iexplore.exe

2010-06-17 15:11:25 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll

2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll

2009-04-24 21:27:13 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009042420090425\index.dat

============= FINISH: 11:23:36.78 ===============

* * *

Running from: C:\Documents and Settings\Mr.Fred\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\$NtServicePackUninstall$\1394bus.sys

[1] 2004-08-03 23:10:06 53248 C:\WINDOWS\$NtServicePackUninstall$\1394bus.sys ()

[1] 2008-04-13 11:46:18 53376 C:\WINDOWS\ServicePackFiles\i386\1394bus.sys (Microsoft Corporation)

* * *

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4429

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 7.0.5730.11

8/14/2010 11:44:44 AM

mbam-log-2010-08-14 (11-44-44).txt

Scan type: Quick scan

Objects scanned: 140213

Time elapsed: 14 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 2

Files Infected: 28

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KWINZYSRCH_SERVICE (Adware.Zwangi) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KwinzySrch Service (Adware.Zwangi) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data (Adware.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\1.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\a.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\b.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\c.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\d.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\e.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\f.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\g.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\h.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\i.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\J.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\k.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\l.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\m.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\mru.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\n.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\o.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\p.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\q.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\r.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\s.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\t.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\u.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\v.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\w.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\x.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\y.xml (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mr.Fred\Application Data\PriceGong\Data\z.xml (Adware.Agent) -> Quarantined and deleted successfully.

Fred

Attach_08_14_2010.zip

Link to post
Share on other sites

Hi Fred, well done! :)

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hi Fred, well done! :)

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

* * *

elise025,

Downloaded shut down my antivirus, and again am receiving this error notice:

Windows cannot access the specific device, path or file. You may not have the appropriate permissions to access the item.

I wonder if this would be OK, to install in safe mode, seem I am still owned in Normal Mode, or is there a wok around to force install?

Fred

Link to post
Share on other sites

Hi Fred, yes, first try safe mode. Try also to rename the file to random.exe

I can install the software using another account in safe mode, but I can not install any software using Mr.Fred user account...

I managed to get combofix installed, but it said i have an anti-virus package running. I opened taskmanager and killed all the AVG stuff and it still saiid I had it running, but did not know what else to do so I removed the anti-virus and then restarted combofix and it said I had an anti-virus package running, but I had no antivirus installed... So I continued with Combofix...

* * *

ComboFix 10-08-14.06 - Administrator 08/15/2010 17:14:53.1.1 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.992.792 [GMT -7:00]

Running from: c:\documents and settings\Mr.Fred\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe

c:\windows\system\oeminfo.ini

c:\windows\system32\autoexec.bat

c:\windows\system32\Thumbs.db

.

((((((((((((((((((((((((( Files Created from 2010-07-16 to 2010-08-16 )))))))))))))))))))))))))))))))

.

2010-08-16 00:06 . 2010-08-16 00:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar

2010-08-16 00:04 . 2010-08-16 00:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-08-14 18:55 . 2010-08-14 18:59 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-08-14 18:26 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-14 18:26 . 2010-08-14 18:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-14 18:26 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-13 20:12 . 2010-08-13 20:12 -------- d-----w- c:\program files\Common Files\Java

2010-08-13 20:11 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-08-13 19:35 . 2010-08-13 19:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-08-08 08:15 . 2010-08-08 08:15 503808 ----a-w- c:\documents and settings\Mr.Fred\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-354859d9-n\msvcp71.dll

2010-08-08 08:15 . 2010-08-08 08:15 499712 ----a-w- c:\documents and settings\Mr.Fred\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-354859d9-n\jmc.dll

2010-08-08 08:15 . 2010-08-08 08:15 348160 ----a-w- c:\documents and settings\Mr.Fred\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-354859d9-n\msvcr71.dll

2010-08-08 08:15 . 2010-08-08 08:15 61440 ----a-w- c:\documents and settings\Mr.Fred\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6b50f9a4-n\decora-sse.dll

2010-08-08 08:15 . 2010-08-08 08:15 12800 ----a-w- c:\documents and settings\Mr.Fred\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6b50f9a4-n\decora-d3d.dll

2010-07-20 16:00 . 2010-07-20 16:00 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll

2010-07-20 16:00 . 2010-07-20 16:00 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll

2010-07-20 16:00 . 2010-07-20 16:00 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll

2010-07-20 16:00 . 2010-07-20 16:00 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-15 23:49 . 2009-11-12 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-08-15 23:26 . 2009-05-07 02:16 -------- d-----w- c:\program files\lx_cats

2010-08-15 09:52 . 2009-11-22 03:43 0 -c--a-w- c:\documents and settings\Mr.Fred\Local Settings\Application Data\prvlcl.dat

2010-08-14 22:46 . 2005-06-14 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-08-13 20:11 . 2007-03-30 03:54 -------- d-----w- c:\program files\Java

2010-08-13 19:41 . 2002-06-08 18:07 -------- d-----w- c:\program files\PC-Doctor for Windows XP

2010-08-13 19:40 . 2009-04-24 02:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2010-08-13 19:38 . 2009-07-28 03:06 54 ----a-w- c:\windows\system32\rp_stats.dat

2010-08-13 19:38 . 2009-07-28 03:06 39 ----a-w- c:\windows\system32\rp_rules.dat

2010-07-15 16:39 . 2009-04-27 14:53 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-15 16:39 . 2010-07-15 16:39 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-15 16:35 . 2009-04-27 14:53 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-06-30 12:31 . 2002-06-08 18:17 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:15 . 2004-02-07 01:05 832512 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:15 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-06-24 12:15 . 2002-06-08 18:14 17408 ----a-w- c:\windows\system32\corpol.dll

2010-06-23 13:44 . 2002-06-08 18:17 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2002-06-08 18:16 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2002-06-08 18:16 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2003-08-12 17:03 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

2010-06-14 07:41 . 2003-11-17 19:20 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-02 15:28 . 2009-04-27 14:53 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-23 08:14 . 2010-05-23 08:14 503808 -c--a-w- c:\documents and settings\Mr.Fred\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-56e46e20-n\msvcp71.dll

2010-05-23 08:14 . 2010-05-23 08:14 499712 -c--a-w- c:\documents and settings\Mr.Fred\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-56e46e20-n\jmc.dll

2010-05-23 08:14 . 2010-05-23 08:14 348160 -c--a-w- c:\documents and settings\Mr.Fred\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-56e46e20-n\msvcr71.dll

2010-05-23 08:14 . 2010-05-23 08:14 503808 -c--a-w- c:\documents and settings\Mr.Fred\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5beaf983-n\msvcp71.dll

2010-05-23 08:14 . 2010-05-23 08:14 499712 -c--a-w- c:\documents and settings\Mr.Fred\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5beaf983-n\jmc.dll

2010-05-23 08:14 . 2010-05-23 08:14 348160 -c--a-w- c:\documents and settings\Mr.Fred\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5beaf983-n\msvcr71.dll

2010-05-23 08:14 . 2010-05-23 08:14 12800 -c--a-w- c:\documents and settings\Mr.Fred\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-36c2e784-n\decora-d3d.dll

2010-05-23 08:14 . 2010-05-23 08:14 61440 -c--a-w- c:\documents and settings\Mr.Fred\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-36c2e784-n\decora-sse.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-04-19 17:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="NvQTwk" [X]

"LTMSG"="LTMSG.exe 7" [X]

"S3TRAY2"="S3tray2.exe" [2001-10-05 69632]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-06-16 212992]

"PS2"="c:\windows\system32\ps2.exe" [2001-07-04 81920]

"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-07 61440]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-08 143360]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]

"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-05 196608]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 286720]

"EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 98304]

"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 65536]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-08 90112]

"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-24 1398272]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]

"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-03-09 283792]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-15 16:39 12536 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Iomega App Services"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\drivers\avgtdix.sys [4/27/2009 7:53 AM 243024]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\drivers\avgldx86.sys [4/27/2009 7:53 AM 216400]

S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 9:38 AM 308136]

S2 SBAMSvc;AntiMalware;"c:\program files\Ascentive\Spyware Striker\SBAMSvc.exe" --> c:\program files\Ascentive\Spyware Striker\SBAMSvc.exe [?]

S3 PCDRDRV;Pcdr CPU Helper Driver;c:\windows\system32\drivers\PCDRDRV.sys --> c:\windows\system32\drivers\PCDRDRV.sys [?]

S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\SYSTEM32\drivers\sis7012.sys [4/15/2002 7:18 PM 164864]

S3 trid3d;trid3d;c:\windows\SYSTEM32\drivers\trid3dm.sys [7/31/2001 5:27 PM 130332]

.

Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-239712180-2796713857-643571872-1009Core.job

- c:\documents and settings\Mr.Fred\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-29 20:20]

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-239712180-2796713857-643571872-1009UA.job

- c:\documents and settings\Mr.Fred\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-29 20:20]

2010-08-15 c:\windows\Tasks\ParetoLogic Registration.job

- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2010-08-15 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

2009-11-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-08-14 22:31]

2009-11-18 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2010-08-14 22:31]

.

.

------- Supplementary Scan -------

.

mSearch Bar = hxxp://srch-us4.hpwis.com/

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab

DPF: {494b8c10-bdb5-11d1-8373-00a0c901b28c}

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ckcezmu3.default\

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe

AddRemove-SiS7012 - c:\progra~1\SiS7012\Uninst\uninst2k.exe PCI\VEN_1039&DEV_7012

AddRemove-Works2002Setup - c:\program files\Microsoft Works and Money 2002\Setup\Launcher.exe \hp\tmp\src\

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-15 17:22

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{79DD782F-DD9B-90C8-01AB82140B2B65EB}\{DE7D83BF-EB3B-F5D9-D52C430ACBAFB5F9}\{D743F1FE-35C6-E579-63E67F5CCF1E1FA7}*]

"Q3FBLH6RIF6MYMN6VD31LVQSMD1"=hex:01,00,00,00,00,00,00,00,5c,63,e8,cf,f7,e6,fd,

3a

.

Completion time: 2010-08-15 17:26:52

ComboFix-quarantined-files.txt 2010-08-16 00:26

Pre-Run: 22,320,603,136 bytes free

Post-Run: 22,567,075,840 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn

- - End Of File - - 1BB3E3C6780082F1393F4E1C3F38B860

Link to post
Share on other sites

Please try to run OTL from your working safe mode account.

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlDesktopIcon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the runscanbutton.png button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.