Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help


  • This topic is locked This topic is locked
39 replies to this topic

#1 elmosam

elmosam

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 05 October 2004 - 09:26 AM

Logfile of HijackThis v1.98.2
Scan saved at 10:21:28 AM, on 10/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 5\ABMTSR.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Richard Nunez\Local Settings\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ""
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [MSConfig] MSCONFIG35.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB001" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Inet Delivery] C:\windows\intdel.exe
O4 - HKCU\..\Run: [3232] C:\WINDOWS\3232.exe
O4 - HKCU\..\Run: [SpywareGuardPlus] C:\WINDOWS\system32\winmm64.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5\ABMTSR.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...74/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:25 PM

Posted 05 October 2004 - 01:09 PM

Hello Elmosam and welcome to Bleeping Computer.

I'm looking at your log now and will get back to you soon.
Derfram
~~~~~~

#3 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:25 PM

Posted 05 October 2004 - 02:17 PM

You have HijackThis running from a temporary folder. Any backup files HJT creates during the repair process will not be secure if left in a temporary folder.

Create a folder on the C: drive called C:\HJT. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Unzip HijackThis into this folder. Please delete any other copies of HijackThis and run HJT only from this new folder. If required a tutorial is here: Hijackthis Folder Tutorial

Be sure to complete the above before continuing.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ""
R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)

O4 - HKLM\..\Run: [MSConfig] MSCONFIG35.EXE
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKCU\..\Run: [Inet Delivery] C:\windows\intdel.exe
O4 - HKCU\..\Run: [3232] C:\WINDOWS\3232.exe
O4 - HKCU\..\Run: [SpywareGuardPlus] C:\WINDOWS\system32\winmm64.exe
O4 - Startup: PowerReg SchedulerV2.exe

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.

Reboot into Safe Mode and enable viewing of Hidden and System files. Open Windows Explorer (Windows key+e), drill down and delete the following files and folders if found:

C:\Program Files\Windows Media Player\wmplayer.exe <--File
C:\windows\intdel.exe <--File
C:\WINDOWS\3232.exe <--File
C:\WINDOWS\system32\winmm64.exe <--File

Use Windows Search to locate the following file and delete it:

MSCONFIG35.EXE

Your log shows that you are seriously behind on windows updates. It is essential that you update your windows before we continue to help you as otherwise the infections could reoccur. Open this link to the Windows XP Service Pack 1a page, select Express Installation and follow the instructions to download/install Service Pack 1a (SP1a). Reboot when requested then return to Windows Update and install any remaining Critical Updates. Hold off on SP2 for now.


It may be necessary to reinstall Windows Media Player after the above procedure as one of the WMP files had been infected and was removed.

Then please run HJT again and post a new log.

Edited by ddeerrff, 05 October 2004 - 02:39 PM.

Derfram
~~~~~~

#4 elmosam

elmosam
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 05 October 2004 - 03:50 PM

Have followed your instructions, and here is a new log. thank you for your help thus far.



Logfile of HijackThis v1.98.2
Scan saved at 4:49:14 PM, on 10/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 5\ABMTSR.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Richard Nunez\Local Settings\Temp\Temporary Directory 3 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB001" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5\ABMTSR.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...74/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab

#5 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:25 PM

Posted 05 October 2004 - 10:44 PM

Your log appears clean at this time Elmosan. However, you have not yet updated Windows. WindowsXP without any updates has a number of exploitable security holes. Keeping current on the critical updates will go a long way in helping to keep your system clean.

Open this link to the Windows XP Service Pack 1a page, select Express Installation and follow the instructions to download/install Service Pack 1a (SP1a). Reboot when requested then return to Windows Update and install any remaining Critical Updates. Hold off on SP2 for now.

After you have been given the all clear and are comfortable that all is working as it should, then I recommend you go ahead and install SP2. As SP2 is a large update, you may want to order the CD from Microsoft instead of downloading the file. Order here

Are you having any particular problems at this time?
Derfram
~~~~~~

#6 elmosam

elmosam
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 06 October 2004 - 06:25 AM

Derf:

I have been unable to download the SP update. After the process starts, I get an error message that "the file c:\windows\system32\ftp.exe is in use", although no other application is open. I am unable to get past this step.

Do you have any suggestions?

Thanks so much!

#7 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:25 PM

Posted 06 October 2004 - 02:29 PM

Elmosan, let's try it this way...

Open this link to the Windows XP Service Pack 1a page, and click on Network Installation under Installing SP1a on Multiple Computers. Then Download "Service Pack 1a for Windows XP Professional and Home Edition" - blue box on the right.

After the download is complete, reboot into Safe Mode, navigate to the folder where the downloaded file (xpsp1a_en_x86.exe) is located, double click on it and allow it to install.
Derfram
~~~~~~

#8 elmosam

elmosam
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 06 October 2004 - 03:58 PM

Derf:

I appreciate your help thus far, but I am afraid I am still having the same problem, and am hopeful you can solve it. I went into safe mode as suggested, but upon trying to install SP1, I get the same message "the file c:\windows\system32\ftp.exe is in use" even though no other applications are open. Do you have any suggestions?

#9 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:25 PM

Posted 07 October 2004 - 12:58 AM

Elmosan,

Still researching this, but here are some things to try to get started.

Be sure you are logged on with administrative privileges. If unsure, look in Control Panel, User Accounts, note what group your username is a member of.


Next, let's see if you can manually access ftp.exe.

Open the Start menu and click on RUN.
In the run box type in C:\Windows\System32\FTP.exe then click OK.

A command window should open which shows FTP>.

To close the box, type in bye. Report success/failure.


Open a new cmd windows: Click on the Start menu, then run and enter cmd.exe in the run box and click OK.

At the prompt in the command box, type cacls.exe %windir%\system32\ftp.exe (note space between .exe and %) and hit the Enter key.

Expect to see:

BUILTIN\Users:R
BUILTIN\Power Users:R <--may not show in WinXP Home
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

Please report any discrepancies.


With the command box still open, type the command:

cacls.exe %windir%\system32\ftp.exe /P "NT AUTHORITY\SYSTEM":F "BUILTIN\Administrators":F "BUILTIN\Users":R as a single line (the forum may linewrap it) and hit Enter.

(be sure that there is a space after .exe, after /P, and after each :F.)

You should get the question Are you sure (Y/N)? Select Y.

Verify that you have got it right by running
cacls.exe %windir%\system32\ftp.exe again.

Then try once again to get SP1 via the Express Installation describe a couple posts back.

Edited by ddeerrff, 07 October 2004 - 01:01 AM.

Derfram
~~~~~~

#10 elmosam

elmosam
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 07 October 2004 - 06:11 AM

Derf:

Yes, I am logged in as the adminstrator. When I enter "C:\Windows\System32\FTP.exe" into the run box, I get the following error message:

"Windows cannot access the specificed device, path, or file. You may not have the appropriate permissions to access the item.".

Any thoughts?

Thanks!

#11 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:25 PM

Posted 07 October 2004 - 08:32 AM

Continue with the rest of the instructions in the previous post. The calcs.exe command is first being used to display the permissions on FTP.exe and in the second case to 'reset' the permissions to what they should be.
Derfram
~~~~~~

#12 elmosam

elmosam
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 07 October 2004 - 08:36 AM

Derf:

I am unable to proceed with anything else, as everytime I enter a command such as the ones you recommend in the run box, I get the same error message.".cannot find specified...." as posted above.


HELP!

#13 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:25 PM

Posted 07 October 2004 - 10:09 AM

Am I reading this correctly that you cannot get a command window to open by entering cmd.exe in the run box?

If that's the case, try entering C:\Windows\System32\cmd.exe in the run box and see if you can get a command window to open.

If you can get the command window to open by using the complete path then;
In the command window, enter CD C:\Windows\System32 then Enter. Should see a prompt "C:\Windows\System32>". Then try viewing and resetting permisions (the calcs.exe commands) from there.
Derfram
~~~~~~

#14 elmosam

elmosam
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 07 October 2004 - 10:11 AM

Derf:

You are correct..upon entering any command in the run dialgoue box, I get the same error message described above. I have tried entering each of the commands you have suggested, and I keep getting the same message.

#15 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:25 PM

Posted 07 October 2004 - 10:26 AM

I understand that even entering the entire path C:\Windows\System32\cmd.exe in the Run box does not bring up a command window.

Use Windows Search to locate the file cmd.exe. Please post back with where this file is found (may be multiple locations).

If there are any other user accounts on this machine, try logging on as a different user and see if you can get a command window to open from the Run box.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users