It started with Windows Police Pro...

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages

1 2 3 >

It started with Windows Police Pro..., Virus Infection, Malware, Idiot User

Options

IditoUser View Member Profile	Oct 27 2009, 06:52 PM Post #1
Member Group: Members Posts: 23 Joined: 27-October 09 Member No.: 395,069	Okay, so, first, please let me start off that I am an absolute idiot user. Perhaps I have learned a little more this time, but...well, let's at least say I learned about Bleeping Computer and I'm hoping you can help. Am running Dell XPS400, with Windows XP Media Center Edition, Version 5.2 My Trend Microcillan exprired in May and I didn't prioritize the renewal. Here comes the stupid. A few days ago Windows Police Pro infected my system, couldn't use web pages, windows fixed an internet connection error; in all honesty, what happened next was pretty fast. Other parts of the system started shutting down and becoming inaccesible. I couldn't run PCillan, couldn't get my security center up and couldn't get to Add/Remove programs. Then the real idiot, panic, set in. I started looking up WPP online and started deleting, renaming, attempting to remove the files in any way I could. Might as well have handed a man on fire a can of gasoline... I removed about five-seven files, some of which, I'm sure, were actually harmful! ugg. Anyway, now, of course, I've gone the opposite route. I had little to no responsiveness, at all, to the system; when I log in, my desktop font is different and my toolbar is already open. Showing "My docs" "My computer" "My Network Places" "Recycle Bin" a dead "Internet Explorer" and "Coral Photo Album" open. I can look at those folders, but when I close them, they return to the toolbar... I of course took my can of gasoline and started to apply napalm, thinking this would solve the problem...(again, please see username). I downloaded to a laptop, "Dr Web Cure-It!", "Autoruns", "DDS", "HJT" (sorry), "MBAM", "OTM", Root Repeal, Spyware Doctor, spybots, stopzilla, TFC, unhook... After that dowsing, some things actually work. I can access the stick I am using to destroy my machine, for example. I've been able to run most everything (see username), from the stick, but can't actually save any of it to any effectiveness. Most likely a good thing, now that I've stopped the panic, found Bleeping Computer and can perhaps get some help. Thinking it may be WPP, I attempted to install and run MBAM, but have a run-time error '372", failed to load control 'vbalGrid' from vbalsgrid6.ocx. Spyware Doctor notes Updates Required, seeks Proxy settings and asks to run Smart Update. Whatever the heck is what I did got HJT up and running, it wouldn't. It would run, list the log and close immediately. I did move files with OTM. Attached File(s) DDS.txt ( 7.95k ) Number of downloads: 13 RootRepeal_report_10_27_09__19_27_15_.txt ( 2.89k ) Number of downloads: 4

farbar View Member Profile	Oct 28 2009, 02:17 PM Post #2
Bleeping Curious Group: HJT Team Posts: 7,258 Joined: 8-December 07 From: The Netherlands Member No.: 175,240	Hi IditoUser, Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem. Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this. The computer is obviously in a pretty bad shape. I can't say from the log who did the most damage, the malware or someone else. But we are going to take a shot at it. Please describe the condition of your computer so that I know what is going on and adjust my fixes to the current condition of the computer . What are the specific symptoms? Can you use internet? Can you copy and paste? etc. Please download the attached file and run it. A log.txt file will be saved on your memory stick. Please post the content of it or attach it to your reply. Attached File(s) look.bat ( 127bytes ) Number of downloads: 2 -------------------- This is a voluntary free service. However, if you would like to donate click on

IditoUser View Member Profile	Oct 29 2009, 11:21 AM Post #3
Member Group: Members Posts: 23 Joined: 27-October 09 Member No.: 395,069	I agree to refrain from making any changes to the system (scanning or running other tools, updating Windows, installing applications, removing files, etc.). Okay, downloaded lookit, ran the file, received the following log.txt Volume in drive C has no label. Volume Serial Number is F8E7-8B22 Directory of c:\WINDOWS\$NtServicePackUninstall$ 08/10/2004 07:00 AM 14,336 svchost.exe 1 File(s) 14,336 bytes Directory of c:\WINDOWS\ServicePackFiles\i386 04/13/2008 08:12 PM 14,336 svchost.exe 1 File(s) 14,336 bytes Directory of c:\WINDOWS\system32 04/13/2008 08:12 PM 14,336 svchost.exe 1 File(s) 14,336 bytes Total Files Listed: 3 File(s) 43,008 bytes 0 Dir(s) 88,981,295,104 bytes free Volume in drive C has no label. Volume Serial Number is F8E7-8B22 Directory of c:\ I am sincerely hoping this is it; lookit opened a dos window, and then noted that the log.txt would be saved to my k drive. My PC is limping along, I cannot copy and paste files to my desktop; just not an option. I have save as, which would create a shortcut. When I open a word doc., it notes: “This document could not be registered. It will not be possible to create links from other documents to this document”. Internet is dead. Both because I’ve disconnected and it wouldn’t work before hand anyway. Now, it won’t even open an explorer window. I can now access My computer and open add/remove programs. I can also, now, open security center, however, when I attempt to open windows firewall, it notes: “Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?” Not sure if that helps with diagnosis. This post has been edited by IditoUser: Oct 29 2009, 11:30 AM

farbar View Member Profile	Oct 29 2009, 12:55 PM Post #4
Bleeping Curious Group: HJT Team Posts: 7,258 Joined: 8-December 07 From: The Netherlands Member No.: 175,240	Have you tried to run ComboFix? Did it run? Have you used Windows Configuration Utility (msconfig) to disable services? Please download the following tool on your desktop. http://download.bleepingcomputer.com/sUBs/Beta/querySvc.exe Double click to run it. It will produce a log, copy and paste or attach the log to your reply. Please download OTL by OldTimer. Save it to your desktop. Double click on the OTL icon on your desktop. Check the "Scan All Users" checkbox. Check the "Standard Output". In all the sections on the left side (Processes, Services, Drivers, Modules, Standard Registry, Extra Registry) section check All. Click Run Scan button. Two reports will open (it might not open in your case), copy and paste or attach them to your reply: OTL.txt <-- Will be opened Extra.txt <-- Will be minimized -------------------- This is a voluntary free service. However, if you would like to donate click on

farbar View Member Profile	Oct 29 2009, 05:15 PM Post #6
Bleeping Curious Group: HJT Team Posts: 7,258 Joined: 8-December 07 From: The Netherlands Member No.: 175,240	Copy and paste is preferred. Thanks. I guess the ComboFix log was removed. It could have given us insight right away to the kind of initial infection. Often for us it is much easier to clean an infected computer than a relatively cleaned computer as we don't know any more what was on it. Each infection has its own behavior. But good news is that I might have spotted the issue. Download Win32kDiag from any of the following locations and save it directly on your flash drive. Don't put it in a folder. Download Win32kDiag (Win32kDiag.exe) - #1 Download Win32kDiag (Win32kDiag.exe) - #2 Download Win32kDiag (Win32kDiag.exe) - #3 Download and run the attached file. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please post the contents here. If you couldn't copy the file to your flash drive see if you can do it after rebooting the next step. Otherwise tell me about it and I'll show you how to do it. Reboot the computer. Run querySvc.exe once more and post the log please. Attached File(s) win32.bat ( 33bytes ) Number of downloads: 0 -------------------- This is a voluntary free service. However, if you would like to donate click on

IditoUser View Member Profile	Oct 29 2009, 06:16 PM Post #7
Member Group: Members Posts: 23 Joined: 27-October 09 Member No.: 395,069	Okay, did all was said for win32kdiag, loaded to stick, ran on pc; at the end is said "Finished! Press any key to exit" I did so, but no file was saved to the stick. I rebooted, ran it again off of the stick; no log. Should I run query?

farbar View Member Profile	Oct 29 2009, 06:18 PM Post #8
Bleeping Curious Group: HJT Team Posts: 7,258 Joined: 8-December 07 From: The Netherlands Member No.: 175,240	QUOTE When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please post the contents here -------------------- This is a voluntary free service. However, if you would like to donate click on

IditoUser View Member Profile	Oct 29 2009, 06:50 PM Post #9
Member Group: Members Posts: 23 Joined: 27-October 09 Member No.: 395,069	Ugg Slaps head Lives up to username Posts log from win32... Running from: K:\Win32kDiag.exe Log file at : C:\Documents and Settings\Brian\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe [1] 2004-08-10 07:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation) [1] 2008-04-13 20:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe () [1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation) Cannot access: C:\WINDOWS\system32\MRT.exe [1] 2009-10-02 14:01:57 25198016 C:\WINDOWS\system32\MRT.exe () Cannot access: C:\WINDOWS\system32\svchost.exe [1] 2004-08-10 07:00:00 14336 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe (Microsoft Corporation) [1] 2008-04-13 20:12:36 14336 C:\WINDOWS\ServicePackFiles\i386\svchost.exe (Microsoft Corporation) [1] 2008-04-13 20:12:36 14336 C:\WINDOWS\system32\svchost.exe () Finished! Ran Query: ------ REGISTRY: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] - HTTPFilter - HTTPFilter - LocalService - Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV - NetworkService - DnsCache - DcomLaunch - DcomLaunch, TermService - rpcss - RpcSs - imgsvc - StiSvc - termsvcs - TermService - eapsvcs - eaphost - dot3svc - dot3svc - WudfServiceGroup - WUDFSvc - netsvcs - 6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, wscsvc, xmlprov, MHN, BITS, wuauserv, ShellHWDetection, helpsvc, WmdmPmSN, napagent, hkmsvc HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch CoInitializeSecurityParam REG_DWORD 1 (0x1) DefaultRpcStackSize REG_DWORD 8 (0x8) HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\dot3svc AuthenticationCapabilities REG_DWORD 12320 (0x3020) CoInitializeSecurityParam REG_DWORD 1 (0x1) HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\eapsvcs AuthenticationCapabilities REG_DWORD 12320 (0x3020) CoInitializeSecurityParam REG_DWORD 1 (0x1) HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter CoInitializeSecurityParam REG_DWORD 1 (0x1) HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService CoInitializeSecurityParam REG_DWORD 1 (0x1) AuthenticationCapabilities REG_DWORD 8192 (0x2000) HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs CoInitializeSecurityParam REG_DWORD 1 (0x1) AuthenticationCapabilities REG_DWORD 12320 (0x3020) HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth CoInitializeSecurityParam REG_DWORD 2 (0x2) AuthenticationCapabilities REG_DWORD 64 (0x40) HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs CoInitializeSecurityParam REG_DWORD 1 (0x1) DefaultRpcStackSize REG_DWORD 8 (0x8) HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 ------ SVCHOST SERVICES NOT RUNNING STOPPED: AUTO_START: AudioSrv : Windows Audio STOPPED: AUTO_START: BITS : Background Intelligent Transfer Service STOPPED: AUTO_START: Browser : Computer Browser STOPPED: AUTO_START: CryptSvc : CryptSvc STOPPED: AUTO_START: DcomLaunch : DCOM Server Process Launcher STOPPED: AUTO_START: Dhcp : DHCP Client STOPPED: AUTO_START: dmserver : Logical Disk Manager STOPPED: AUTO_START: Dnscache : DNS Client STOPPED: AUTO_START: ERSvc : Error Reporting Service STOPPED: AUTO_START: helpsvc : Help and Support STOPPED: AUTO_START: lanmanserver : Server STOPPED: AUTO_START: lanmanworkstation : Workstation STOPPED: AUTO_START: LmHosts : TCP/IP NetBIOS Helper STOPPED: AUTO_START: RemoteRegistry : Remote Registry STOPPED: AUTO_START: RpcSs : Remote Procedure Call (RPC) STOPPED: AUTO_START: Schedule : Task Scheduler STOPPED: AUTO_START: seclogon : Secondary Logon STOPPED: AUTO_START: SENS : System Event Notification STOPPED: AUTO_START: SharedAccess : Windows Firewall/Internet Connection Sharing (ICS) STOPPED: AUTO_START: ShellHWDetection : Shell Hardware Detection STOPPED: AUTO_START: srservice : System Restore Service STOPPED: AUTO_START: SSDPSRV : SSDP Discovery Service STOPPED: AUTO_START: stisvc : Windows Image Acquisition (WIA) STOPPED: AUTO_START: Themes : Themes STOPPED: AUTO_START: TrkWks : Distributed Link Tracking Client STOPPED: AUTO_START: W32Time : Windows Time STOPPED: AUTO_START: WebClient : WebClient STOPPED: AUTO_START: winmgmt : Windows Management Instrumentation STOPPED: AUTO_START: wscsvc : Security Center STOPPED: AUTO_START: wuauserv : Automatic Updates STOPPED: AUTO_START: WudfSvc : Windows Driver Foundation - User-mode Driver Framework STOPPED: AUTO_START: WZCSVC : Wireless Zero Configuration STOPPED: DEMAND_START: AppMgmt : Application Management STOPPED: DEMAND_START: Dot3svc : Wired AutoConfig STOPPED: DEMAND_START: EapHost : Extensible Authentication Protocol Service STOPPED: DEMAND_START: EventSystem : COM+ Event System STOPPED: DEMAND_START: FastUserSwitchingCompatibility : Fast User Switching Compatibility STOPPED: DEMAND_START: hkmsvc : Health Key and Certificate Management Service STOPPED: DEMAND_START: HTTPFilter : HTTP SSL STOPPED: DEMAND_START: MHN : MHN STOPPED: DEMAND_START: napagent : Network Access Protection Agent STOPPED: DEMAND_START: Netman : Network Connections STOPPED: DEMAND_START: Nla : Network Location Awareness (NLA) STOPPED: DEMAND_START: NtmsSvc : Removable Storage STOPPED: DEMAND_START: RasAuto : Remote Access Auto Connection Manager STOPPED: DEMAND_START: RasMan : Remote Access Connection Manager STOPPED: DEMAND_START: TapiSrv : Telephony STOPPED: DEMAND_START: TermService : Terminal Services STOPPED: DEMAND_START: upnphost : Universal Plug and Play Device Host STOPPED: DEMAND_START: WmdmPmSN : Portable Media Serial Number Service STOPPED: DEMAND_START: Wmi : Windows Management Instrumentation Driver Extensions STOPPED: DEMAND_START: xmlprov : Network Provisioning Service STOPPED: DISABLED: Alerter : Alerter STOPPED: DISABLED: HidServ : Human Interface Device Access STOPPED: DISABLED: Messenger : Messenger STOPPED: DISABLED: RemoteAccess : Routing and Remote Access ------ SVCHOST CURRENTLY RUNNING: ------ SVCHOST SUB-DEPENDENTS HTTPFilter = 1 STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service upnphost = 1 STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service SSDPSRV = 4 STOPPED: CCALib8: Canon Camera Access Library 8 STOPPED: McrdSvc: Media Center Extender Service STOPPED: upnphost: Universal Plug and Play Device Host STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service DMServer = 1 STOPPED: dmadmin: Logical Disk Manager Administrative Service EventSystem = 1 STOPPED: SENS: System Event Notification LanmanServer = 1 STOPPED: Browser: Computer Browser LanmanWorkstation = 5 STOPPED: Alerter: Alerter STOPPED: Browser: Computer Browser STOPPED: Messenger: Messenger STOPPED: Netlogon: Net Logon STOPPED: RpcLocator: Remote Procedure Call (RPC) Locator Netman = 1 STOPPED: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS) Rasman = 2 STOPPED: RasAuto: Remote Access Auto Connection Manager STOPPED: TmPfw: Trend Micro Personal Firewall Tapisrv = 3 STOPPED: RasAuto: Remote Access Auto Connection Manager STOPPED: RasMan: Remote Access Connection Manager STOPPED: TmPfw: Trend Micro Personal Firewall winmgmt = 2 STOPPED: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS) STOPPED: wscsvc: Security Center TermService = 1 STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility RpcSs = 64 STOPPED: AudioSrv: Windows Audio STOPPED: BITS: Background Intelligent Transfer Service STOPPED: Browser Defender Update Service: Browser Defender Update Service STOPPED: CCALib8: Canon Camera Access Library 8 STOPPED: CiSvc: Indexing Service STOPPED: COMSysApp: COM+ System Application STOPPED: CryptSvc: CryptSvc STOPPED: dmadmin: Logical Disk Manager Administrative Service STOPPED: dmserver: Logical Disk Manager STOPPED: Dot3svc: Wired AutoConfig STOPPED: EapHost: Extensible Authentication Protocol Service STOPPED: ehRecvr: Media Center Receiver Service STOPPED: ehSched: Media Center Scheduler Service STOPPED: ERSvc: Error Reporting Service STOPPED: EventSystem: COM+ Event System STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility STOPPED: gupdate1c98fc134283962: Google Update Service (gupdate1c98fc134283962) STOPPED: gusvc: Google Software Updater STOPPED: helpsvc: Help and Support STOPPED: HidServ: Human Interface Device Access STOPPED: hkmsvc: Health Key and Certificate Management Service STOPPED: IISADMIN: IIS Admin STOPPED: iPod Service: iPod Service STOPPED: LPDSVC: TCP/IP Print Server STOPPED: McrdSvc: Media Center Extender Service STOPPED: MDM: Machine Debug Manager STOPPED: Messenger: Messenger STOPPED: MHN: MHN STOPPED: MSDTC: Distributed Transaction Coordinator STOPPED: MSIServer: Windows Installer STOPPED: napagent: Network Access Protection Agent STOPPED: Netman: Network Connections STOPPED: NtmsSvc: Removable Storage STOPPED: PcCtlCom: Trend Micro Central Control Component STOPPED: PolicyAgent: IPSEC Services STOPPED: ProtectedStorage: Protected Storage STOPPED: RasAuto: Remote Access Auto Connection Manager STOPPED: RasMan: Remote Access Connection Manager STOPPED: RDSessMgr: Remote Desktop Help Session Manager STOPPED: RemoteAccess: Routing and Remote Access STOPPED: RemoteRegistry: Remote Registry STOPPED: RSVP: QoS RSVP STOPPED: SamSs: Security Accounts Manager STOPPED: Schedule: Task Scheduler STOPPED: SENS: System Event Notification STOPPED: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS) STOPPED: ShellHWDetection: Shell Hardware Detection STOPPED: SMTPSVC: Simple Mail Transfer Protocol (SMTP) STOPPED: Spooler: Print Spooler STOPPED: srservice: System Restore Service STOPPED: stisvc: Windows Image Acquisition (WIA) STOPPED: SwPrv: MS Software Shadow Copy Provider STOPPED: TapiSrv: Telephony STOPPED: TermService: Terminal Services STOPPED: TlntSvr: Telnet STOPPED: TmPfw: Trend Micro Personal Firewall STOPPED: TrkWks: Distributed Link Tracking Client STOPPED: VSS: Volume Shadow Copy STOPPED: W3SVC: World Wide Web Publishing STOPPED: winmgmt: Windows Management Instrumentation STOPPED: WmiApSrv: WMI Performance Adapter STOPPED: wscsvc: Security Center STOPPED: WZCSVC: Wireless Zero Configuration STOPPED: xmlprov: Network Provisioning Service StiSvc = 1 STOPPED: CCALib8: Canon Camera Access Library 8 TermService = 1 STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility eaphost = 1 STOPPED: Dot3svc: Wired AutoConfig

farbar View Member Profile	Oct 29 2009, 07:08 PM Post #10
Bleeping Curious Group: HJT Team Posts: 7,258 Joined: 8-December 07 From: The Netherlands Member No.: 175,240	Please do the following: Download this tool and save it to the flash drive: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe Go to Start => Run => Copy and paste or type the following line in the run box and click OK: "k:\inherit.exe" "C:\WINDOWS\system32\svchost.exe" Note: There is a space between "k:\inherit.exe" and "C:\WINDOWS\system32\svchost.exe" If you get a security warning select Run. You will get a "Finish" popup. Click OK. Reboot the computer and run the querySvc.exe once more. Post the log please. -------------------- This is a voluntary free service. However, if you would like to donate click on

IditoUser View Member Profile	Oct 30 2009, 01:19 AM Post #11
Member Group: Members Posts: 23 Joined: 27-October 09 Member No.: 395,069	Did as instructed, when I select Okay in the run box, the box attempts to run, but instead closes and nothing happens.

farbar View Member Profile	Oct 30 2009, 05:48 AM Post #12
Bleeping Curious Group: HJT Team Posts: 7,258 Joined: 8-December 07 From: The Netherlands Member No.: 175,240	Go to start > Run copy/paste the following line in the run box and click OK. k:\win32kdiag.exe -f -r When it's finished, there will be a log called Win32kDiag.txt on your desktop. First reboot then post the log here. -------------------- This is a voluntary free service. However, if you would like to donate click on

IditoUser View Member Profile	Oct 30 2009, 05:53 AM Post #13
Member Group: Members Posts: 23 Joined: 27-October 09 Member No.: 395,069	Okay, I think I got it: ran the log, copied it, then rebooted? I'm hoping so: Running from: k:\Win32kDiag.exe Log file at : C:\Documents and Settings\Brian\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe Cannot access: C:\WINDOWS\system32\MRT.exe Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe Cannot access: C:\WINDOWS\system32\svchost.exe Attempting to restore permissions of : C:\WINDOWS\system32\svchost.exe Finished!

farbar View Member Profile	Oct 30 2009, 05:57 AM Post #14
Bleeping Curious Group: HJT Team Posts: 7,258 Joined: 8-December 07 From: The Netherlands Member No.: 175,240	Well done. Please repeat the step once more. -------------------- This is a voluntary free service. However, if you would like to donate click on

IditoUser View Member Profile	Oct 30 2009, 07:49 AM Post #15
Member Group: Members Posts: 23 Joined: 27-October 09 Member No.: 395,069	Okay, Win32diag log: Running from: k:\Win32kDiag.exe Log file at : C:\Documents and Settings\Brian\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished!

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

3 Pages

1 2 3 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 1st December 2009 - 10:23 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides