Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Local Drive Has Disappeared


  • Please log in to reply
15 replies to this topic

#1 Brainbabe

Brainbabe

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 07 June 2008 - 07:11 AM

After being infected with a virus (Privacy Protector, + Error cleaner, etc.) and removing according to instructions I found on Bleeping using SDFix, I have discovered that I cannot see nor access my C and D drives from My Computer. They have disappeared and all I can see is My documents. How can I recover these icons? Thank you for your help in advance.

(Moderator edit: thread moved to more appropriate forum. jgweed)

Edited by jgweed, 07 June 2008 - 12:55 PM.


BC AdBot (Login to Remove)

 


#2 AndyManchesta

AndyManchesta

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:11:12 AM

Posted 07 June 2008 - 08:36 AM

Hi,

SDFix has two .inf files in its folder named XP_CodecRepair.inf & W2K_CodecRepair.inf, If your using Windows XP then right click the XP_CodecRepair.inf and choose Install and it will remove the policy restrictions being added by this trojan, restore the Start Menu items and set it to show all drives, after installing the .inf file any available drives should then show up as normal under Start > My Computer.

Regards

Andy

#3 Brainbabe

Brainbabe
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 07 June 2008 - 12:25 PM

Thanks Andy - I did that andn i can now see C :thumbsup: .
However, I am now trying to get rid of an intruder called TROJ_AGENT.RJC. Any suggestions??

#4 AndyManchesta

AndyManchesta

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:11:12 AM

Posted 07 June 2008 - 12:52 PM

Hi Brainbabe,

Can you post a couple of logs if you think the machine is still infected as it will make it alot easier for me to help, if you still have the sdfix log (C:\SDFix\Report.txt) can you copy and paste that back on here, if sdfix has been used more than once then there maybe files named Report_old_1.txt or Report_old_2.txt etc.. so also post them if they exist,

If you have HijackThis installed then also post back a HJT in your next reply, if you do not have HijackThis then here's the setup instructions

CLICK HERE to download the HijackThis Installer:
  • Save HJTInstall.exe to your desktop.
  • Double-click on HJTInstall.exe to run the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Accept the license agreement by clicking the "I Accept" button.
  • Click on the "Do a system scan and save a log file" button. It will scan and once its finished it will open the results in notepad
  • Come back here to this thread and paste the full log in your next reply.
  • Do NOT have HijackThis fix anything at this stage as most of what it finds will be genuine and needed for your system.
Finally please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program will then start downloading the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save

Please post the Kaspersky Scanner Report, the SDFix log and a HijackThis log and we can then help you to remove anything that remains,

Thanks

#5 Brainbabe

Brainbabe
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 08 June 2008 - 07:53 AM

OK Andy,
I now have the three reports as you instructed. One from SDFIX, one from Kaspersky Scan and One from Hijack This. I didn't know how to attach them (or whether I can) so I am including each one in a separate post (because otherwise it tells me the post is too long).
Here goes the first report.

SD FIX REPORT

SDFix: Version 1.187
Run by Admin on 01/06/2008 at 22:48

Microsoft Windows XP [Versi¢n 5.1.2600]
Running From: C:\DOCUME~1\Admin\ESCRIT~1\SDFix

Checking Services :

Name :
msupdate
RXD38

Path :
c:\windows\system32\mssrv32.exe
System32\Drivers\rxD38.sys

msupdate - Deleted
RXD38 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Default Desktop Wallpaper
Restored Windows ProductId registry value
Reset Time Format

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\Documents and Settings\Admin\Escritorio\Error Cleaner.url - Deleted
C:\Documents and Settings\Admin\Favoritos\Error Cleaner.url - Deleted
C:\Documents and Settings\Admin\Escritorio\Privacy Protector.url - Deleted
C:\Documents and Settings\Admin\Favoritos\Privacy Protector.url - Deleted
C:\Documents and Settings\Admin\Escritorio\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Admin\Favoritos\Spyware&Malware Protection.url - Deleted
C:\windows\system32\mssrv32.exe - Deleted
C:\windows\system32\WinCtrl32.dll - Deleted
C:\windows\system32\WinCtrl32.dl_ - Deleted
C:\windows\system32\drivers\RXD38(2).sys - Deleted
C:\windows\system32\drivers\RXD38.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 23:09:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :

RXD38



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mshta.exe"="C:\\WINDOWS\\system32\\mshta.exe:*:Enabled:Microsoft ® HTML Application host"
"C:\\Archivos de programa\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"="C:\\Archivos de programa\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\\Archivos de programa\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Archivos de programa\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:ActiveSync Connection Manager"
"C:\\Archivos de programa\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Archivos de programa\\Microsoft ActiveSync\\WCESMgr.exe:*:Enabled:ActiveSync Application"
"C:\\Archivos de programa\\Internet Explorer\\iexplore.exe"="C:\\Archivos de programa\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Archivos de programa\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Archivos de programa\\Java\\jre1.5.0_04\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Archivos de programa\\iTunes\\iTunes.exe"="C:\\Archivos de programa\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Archivos de programa\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Archivos de programa\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Archivos de programa\\Messenger\\msmsgs.exe"="C:\\Archivos de programa\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Archivos de programa\\Skype\\Phone\\Skype.exe"="C:\\Archivos de programa\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Archivos de programa\\Ares\\Ares.exe"="C:\\Archivos de programa\\Ares\\Ares.exe:*:Enabled:Ares"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\DOCUME~1\Admin\ESCRIT~1\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 31 Mar 2007 5,355,320 A..H. --- "C:\Archivos de programa\Picasa2\setup.exe"
Wed 25 Jul 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 7 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 17 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\27f538dd8ae384fcc588e644b2823ce8\BIT15.tmp"
Sat 24 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\98d586d64b671cf7353dc6d0af75e455\BIT10.tmp"
Sat 29 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT83.tmp"
Fri 9 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e333946a72df07902c13124415079b00\BITC.tmp"
Mon 18 Jul 2005 162 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\~$RL3580.tmp"
Wed 10 Jul 2002 178,176 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\~WRL0466.tmp"
Fri 25 Jul 2003 835,584 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\~WRL1656.tmp"
Thu 11 Jul 2002 84,992 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\~WRL3580.tmp"
Mon 15 Oct 2001 26,624 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\Calendars-Timetables\~WRL0575.tmp"
Wed 26 Mar 2003 39,424 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\My e-Quizzes\~WRL3258.tmp"
Wed 15 Nov 2006 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BITC.tmp"
Thu 25 Nov 2004 578,048 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\Translation\Translation Jobs\Traducciones\~WRL2497.tmp"
Thu 27 Jan 2005 104,448 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB Exams\~WRL0593.tmp"
Wed 3 Nov 2004 55,296 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB-Student's work\~WRL0485.tmp"
Tue 2 Nov 2004 43,008 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB-Student's work\~WRL2187.tmp"
Thu 15 Jul 2004 22,016 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB3 Advertising& Promo\~WRL0098.tmp"
Mon 14 Jul 2003 29,696 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB4 Banking\~WRL1364.tmp"
Tue 8 Feb 2005 30,720 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB5 Trade\~WRL0055.tmp"
Mon 21 Jul 2003 292,352 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB6 Sales\~WRL0526.tmp"
Fri 15 Apr 2005 41,472 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB6 Sales\~WRL1660.tmp"
Fri 31 May 2002 77,312 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB6 Sales\~WRL3403.tmp"
Mon 21 Jul 2003 174,080 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB7 Negotiations\~WRL0997.tmp"
Fri 15 Jul 2005 2,353,152 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\06 Intl relations\~WRL0386.tmp"
Fri 2 Sep 2005 10,359,808 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\06 Intl relations\~WRL0398.tmp"
Wed 14 Sep 2005 2,847,744 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\06 Intl relations\~WRL0456.tmp"
Thu 22 Jul 2004 2,291,712 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\06 Intl relations\~WRL0732.tmp"
Thu 2 Sep 2004 4,676,608 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\06 Intl relations\~WRL2860.tmp"
Mon 5 Sep 2005 10,324,480 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\06 Intl relations\~WRL2963.tmp"
Mon 29 Aug 2005 3,162,624 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\06 Intl relations\~WRL3404.tmp"
Thu 29 May 2003 121,344 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\1§ E1C- Quizzes Exams\~WRL0372.tmp"
Tue 20 May 2003 176,640 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\1§ E1C- Quizzes Exams\~WRL1224.tmp"
Thu 22 Jul 2004 2,291,712 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\Intl relations 04-05\~WRL0732.tmp"
Thu 2 Sep 2004 4,676,608 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\Intl relations 04-05\~WRL2860.tmp"
Tue 18 Mar 2003 26,112 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR1 Countries\~WRL0797.tmp"
Mon 23 Jun 2003 101,376 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR3 Cultural differences\~WRL2212.tmp"
Wed 10 Mar 2004 195,072 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR7 NGO's\~WRL3470.tmp"
Thu 19 Jun 2003 281,600 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Intro- Appendix\~WRL0471.tmp"
Tue 15 Mar 2005 20,480 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\~WRL3756.tmp"
Mon 29 Nov 1999 20,480 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICAI\Calendars\~WRL0003.tmp"
Mon 29 Nov 1999 20,480 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICAI\Calendars\~WRL0005.tmp"
Thu 9 Dec 1999 31,744 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\IIM\Consejo-Meetings\~WRL0005.tmp"
Mon 13 Dec 1999 30,720 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\IIM\Consejo-Meetings\~WRL0938.tmp"
Tue 21 Jun 2005 33,792 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\IIM-Cursos formacion UPCO\ICE-cursos\~WRL3646.tmp"
Wed 12 Nov 2003 66,048 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB Project work\1st term-Project work\~WRL0670.tmp"
Fri 31 May 2002 77,312 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB Project work\2nd term Project work\~WRL3403.tmp"
Thu 23 May 2002 60,928 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\Law-02-03\1§ Law-Review Exercises\~WRL0897.tmp"
Thu 29 May 2003 121,344 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\1§ E1C- Quizzes Exams\1§ E1C- Quizzes Exams\~WRL0372.tmp"
Tue 20 May 2003 176,640 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\1§ E1C- Quizzes Exams\1§ E1C- Quizzes Exams\~WRL1224.tmp"
Tue 18 Mar 2003 26,112 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR1 Countries\IR1 Countries\~WRL0797.tmp"
Mon 29 Nov 2004 445,440 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\05-Student work\~WRL1208.tmp"
Wed 5 Jun 2002 213,504 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\2§ Dcho\~WRL3468.tmp"
Mon 11 Sep 2000 122,368 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICAI\1§-2§ IOI\2§ Org exams\~WRL1457.tmp"
Thu 10 Feb 2000 532,992 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICAI\1§ IAEI\7- Robotics- Automation\~WRL0002.tmp"
Mon 24 Jan 2005 367,616 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\IIM\Espa¤ol- cursos especiales\Espa¤ol-Formularios-Info\~WRL2363.tmp"
Fri 31 Mar 2000 665,088 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\IIM\IIM-Courses\Cursos adicionales\~WRL0470.tmp"
Fri 4 Feb 2005 67,584 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\05-Student work\05-U.2 political profile\~WRL0766.tmp"
Fri 4 Feb 2005 59,392 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\05-Student work\05-U.2 political profile\~WRL1148.tmp"
Fri 4 Feb 2005 64,000 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\05-Student work\05-U.2 political profile\~WRL2296.tmp"
Fri 4 Feb 2005 63,488 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\05-Student work\05-U.2 political profile\~WRL2397.tmp"
Fri 4 Feb 2005 67,584 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\05-Student work\05-U.2 political profile\~WRL2910.tmp"
Fri 4 Feb 2005 73,216 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\05-Student work\05-U.2 political profile\~WRL3067.tmp"
Tue 13 Mar 2001 30,720 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Dcho - 00-01\U. 6 Trade\~WRL0266.tmp"
Thu 23 May 2002 60,928 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Law-02-03\1§ Law-Review Exercises\~WRL0897.tmp"
Fri 31 May 2002 77,312 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Law-02-03\2nd term Project work\~WRL3403.tmp"
Fri 6 May 2005 113,152 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\Placement exams\Placement exams\Ingles\ETSI-ICAI\~WRL2786.tmp"
Sun 12 May 2002 22,528 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Law-02-03\2nd term Project work\01-02 Letters\1E3C-letters\~WRL0246.tmp"
Fri 10 May 2002 27,648 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Law-02-03\2nd term Project work\01-02 Letters\1E3C-letters\~WRL0278.tmp"
Sat 11 May 2002 21,504 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Law-02-03\2nd term Project work\01-02 Letters\1E3C-letters\~WRL1294.tmp"
Sun 12 May 2002 20,480 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Law-02-03\2nd term Project work\01-02 Letters\1E3C-letters\~WRL1461.tmp"
Thu 16 May 2002 25,088 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Law-02-03\2nd term Project work\01-02 Letters\1E3C-letters\~WRL3285.tmp"

Finished!


I look forward to receiving your diagnosis. :thumbsup:
Best regards

#6 Brainbabe

Brainbabe
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 08 June 2008 - 07:54 AM

HERE IS THE HIJACK THIS REPORT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:11, on 08/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\crypserv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\ARCHIV~1\TRENDM~1\INTERN~4\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\windows\System32\svchost.exe
C:\ARCHIV~1\TRENDM~1\INTERN~4\Tmntsrv.exe
C:\ARCHIV~1\TRENDM~1\INTERN~4\TmPfw.exe
C:\ARCHIV~1\TRENDM~1\INTERN~4\tmproxy.exe
C:\windows\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Archivos de programa\HPQ\Quick Launch Buttons\EabServr.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Gigaset DECT\gigaset-m34-usb\dlrblckr.exe
C:\Archivos de programa\Gigaset DECT\gigaset-m34-software\skypeclient.exe
C:\Archivos de programa\Gigaset DECT\gigaset-m34-software\messengerservice.exe
C:\Archivos de programa\Gigaset DECT\gigaset-m34-software\keymap.exe
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\Archivos de programa\Gigaset DECT\gigaset-m34-software\appsvr.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\Archivos de programa\Trend Micro\Internet Security 2007\pccguide.exe
C:\Archivos de programa\TomTom HOME 2\HOMERunner.exe
C:\windows\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Archivos de programa\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\Admin\Datos de programa\Smilebox\SmileboxTray.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\HPQ\SHARED\HPQWMI.exe
C:\ARCHIV~1\TRENDM~1\INTERN~4\PcScnSrv.exe
C:\ARCHIV~1\TRENDM~1\INTERN~4\PccUpdUI.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: (no name) - {910DDC36-92C5-4D2A-B6CC-2DE257FBABFD} - C:\Documents and Settings\Virginia\Configuración local\Datos de programa\microsoft\internet explorer\5inav.dat
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar10.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: XBTP09580 - {B16F8052-1A10-4967-9F98-1A21ECC782F2} - C:\ARCHIV~1\WORDRE~1\tbu2B\WORDRE~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar10.dll
O3 - Toolbar: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Archivos de programa\Archivos comunes\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Archivos de programa\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Archivos de programa\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Archivos de programa\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HP Component Manager] "C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dlrblckr.exe] "C:\Archivos de programa\Gigaset DECT\gigaset-m34-usb\dlrblckr.exe"
O4 - HKLM\..\Run: [skypeclient.exe] "C:\Archivos de programa\Gigaset DECT\gigaset-m34-software\skypeclient.exe"
O4 - HKLM\..\Run: [messengerservice.exe] "C:\Archivos de programa\Gigaset DECT\gigaset-m34-software\messengerservice.exe"
O4 - HKLM\..\Run: [keymap.exe] "C:\Archivos de programa\Gigaset DECT\gigaset-m34-software\keymap.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Archivos de programa\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Archivos de programa\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Admin\Datos de programa\Smilebox\SmileboxTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Crear un favorito móvil - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Archivos de programa\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Archivos de programa\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Archivos de programa\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/default.cab?uid=3&...mp;1s&ppd=3
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4EF409C-872D-4D04-8CEC-20E737351766}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{D56C86CB-B779-4AE0-AE06-E08156921774}: NameServer = 80.58.61.250,80.58.61.254
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {0E36EB24-31C3-46E9-B176-69FFBB3B92C4} - C:\Documents and Settings\Virginia\Configuración local\Datos de programa\microsoft\internet explorer\V0.39.dat
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\windows\SYSTEM32\crypserv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Archivos de programa\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~4\PcCtlCom.exe
O23 - Service: Protección frente a spyware de Trend Micro (PcScnSrv) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~4\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~4\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~4\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~4\tmproxy.exe

--
End of file - 12496 bytes

In the next post I will send the last Scan by Kaspersky.

#7 Brainbabe

Brainbabe
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 08 June 2008 - 08:03 AM

I have to go to lunch so I will try to send the Kapersky Scan after lunch - I am having trouble because it says it is too long.

#8 Brainbabe

Brainbabe
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 08 June 2008 - 10:54 AM

Here is a link to the Kaspersky Scan because every time i try to post it, I get a an error message saying it is too big.
The virus is on an HP laptop, in which both I and my husband (Javier) are Administrators -- I think the virus is in his window.

This is the link to the Kaspersky Scan Report.
Kaspersky Scan Report

Or maybe this one is clearer.
Kaspersky Scan Report-Version 2

Many many thanks.

Edited by Brainbabe, 08 June 2008 - 11:10 AM.


#9 AndyManchesta

AndyManchesta

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:11:12 AM

Posted 08 June 2008 - 11:02 AM

Thanks Brainbabe,

Can you delete the SDFix.exe and the SDFix folder then please download and run the tool again and post the new report.txt it creates, its removed a nasty rootkit from your machine named Srizbi (recently been estimated to be sending 60 billion spam email messages every day using infected machines) and it seems to have gone fine as it was able to delete the rootkit files which wouldn't of been possible if it was still active but in its final check its found the same trojan service is still on the machine so there maybe some permission problems which is making it unable to delete the registry key, if it shows up again in the latest version and still fails to remove it then we can try a couple of other tools but hopefully its just a leftover which will go easily enough if it does still exist,

If the Kaspersky log is too large to copy and paste please can you upload it here and I'll download it to check for any additional problems,

http://www.bleepingcomputer.com/submit-mal....php?channel=27


Are you still getting the TROJ_AGENT.RJC alerts and if so does the program show where its detecting the threat ? , this Srizbi rootkit which has been on your PC is also known as Rootkit.Agent so its possibly detecting parts of the same infection but it would help to know if its still showing alerts and where its finding the trojan if it is,

Cheers

Andy

#10 AndyManchesta

AndyManchesta

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:11:12 AM

Posted 08 June 2008 - 11:06 AM

:thumbsup: Sorry I just noticed you replied after I posted, I'll check the log and then wait to see how the next run of sdfix looks,

#11 Brainbabe

Brainbabe
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 08 June 2008 - 12:37 PM

I have just finished running SDFix as you instructed and here is the final report.

SDFix: Version 1.187
Run by Admin on 08/06/2008 at 18:50

Microsoft Windows XP [Versi¢n 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 19:17:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mshta.exe"="C:\\WINDOWS\\system32\\mshta.exe:*:Enabled:Microsoft ® HTML Application host"
"C:\\Archivos de programa\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"="C:\\Archivos de programa\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\\Archivos de programa\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Archivos de programa\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:ActiveSync Connection Manager"
"C:\\Archivos de programa\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Archivos de programa\\Microsoft ActiveSync\\WCESMgr.exe:*:Enabled:ActiveSync Application"
"C:\\Archivos de programa\\Internet Explorer\\iexplore.exe"="C:\\Archivos de programa\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Archivos de programa\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Archivos de programa\\Java\\jre1.5.0_04\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Archivos de programa\\iTunes\\iTunes.exe"="C:\\Archivos de programa\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Archivos de programa\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Archivos de programa\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Archivos de programa\\Messenger\\msmsgs.exe"="C:\\Archivos de programa\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Archivos de programa\\Skype\\Phone\\Skype.exe"="C:\\Archivos de programa\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Archivos de programa\\Ares\\Ares.exe"="C:\\Archivos de programa\\Ares\\Ares.exe:*:Enabled:Ares"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Sat 31 Mar 2007 5,355,320 A..H. --- "C:\Archivos de programa\Picasa2\setup.exe"
Wed 25 Jul 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 7 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 17 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\27f538dd8ae384fcc588e644b2823ce8\BIT15.tmp"
Sat 24 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\98d586d64b671cf7353dc6d0af75e455\BIT10.tmp"
Sat 29 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT83.tmp"
Fri 9 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e333946a72df07902c13124415079b00\BITC.tmp"
Mon 18 Jul 2005 162 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\~$RL3580.tmp"
Wed 10 Jul 2002 178,176 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\~WRL0466.tmp"
Fri 25 Jul 2003 835,584 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\~WRL1656.tmp"
Thu 11 Jul 2002 84,992 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\~WRL3580.tmp"
Mon 15 Oct 2001 26,624 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\Calendars-Timetables\~WRL0575.tmp"
Wed 26 Mar 2003 39,424 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\My e-Quizzes\~WRL3258.tmp"
Wed 15 Nov 2006 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BITC.tmp"
Thu 25 Nov 2004 578,048 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\Translation\Translation Jobs\Traducciones\~WRL2497.tmp"
Thu 27 Jan 2005 104,448 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB Exams\~WRL0593.tmp"
Wed 3 Nov 2004 55,296 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB-Student's work\~WRL0485.tmp"
Tue 2 Nov 2004 43,008 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB-Student's work\~WRL2187.tmp"
Thu 15 Jul 2004 22,016 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB3 Advertising& Promo\~WRL0098.tmp"
Mon 14 Jul 2003 29,696 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB4 Banking\~WRL1364.tmp"
Tue 8 Feb 2005 30,720 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB5 Trade\~WRL0055.tmp"
Mon 21 Jul 2003 292,352 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB6 Sales\~WRL0526.tmp"
Fri 15 Apr 2005 41,472 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB6 Sales\~WRL1660.tmp"
Fri 31 May 2002 77,312 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB6 Sales\~WRL3403.tmp"
Mon 21 Jul 2003 174,080 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB7 Negotiations\~WRL0997.tmp"
Fri 15 Jul 2005 2,353,152 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\06 Intl relations\~WRL0386.tmp"
Fri 2 Sep 2005 10,359,808 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\06 Intl relations\~WRL0398.tmp"
Wed 14 Sep 2005 2,847,744 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\06 Intl relations\~WRL0456.tmp"
Thu 22 Jul 2004 2,291,712 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\06 Intl relations\~WRL0732.tmp"
Thu 2 Sep 2004 4,676,608 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\06 Intl relations\~WRL2860.tmp"
Mon 5 Sep 2005 10,324,480 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\06 Intl relations\~WRL2963.tmp"
Mon 29 Aug 2005 3,162,624 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\06 Intl relations\~WRL3404.tmp"
Thu 29 May 2003 121,344 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\1§ E1C- Quizzes Exams\~WRL0372.tmp"
Tue 20 May 2003 176,640 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\1§ E1C- Quizzes Exams\~WRL1224.tmp"
Thu 22 Jul 2004 2,291,712 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\Intl relations 04-05\~WRL0732.tmp"
Thu 2 Sep 2004 4,676,608 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\Intl relations 04-05\~WRL2860.tmp"
Tue 18 Mar 2003 26,112 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR1 Countries\~WRL0797.tmp"
Mon 23 Jun 2003 101,376 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR3 Cultural differences\~WRL2212.tmp"
Wed 10 Mar 2004 195,072 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR7 NGO's\~WRL3470.tmp"
Thu 19 Jun 2003 281,600 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Intro- Appendix\~WRL0471.tmp"
Tue 15 Mar 2005 20,480 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\~WRL3756.tmp"
Mon 29 Nov 1999 20,480 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICAI\Calendars\~WRL0003.tmp"
Mon 29 Nov 1999 20,480 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICAI\Calendars\~WRL0005.tmp"
Thu 9 Dec 1999 31,744 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\IIM\Consejo-Meetings\~WRL0005.tmp"
Mon 13 Dec 1999 30,720 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\IIM\Consejo-Meetings\~WRL0938.tmp"
Tue 21 Jun 2005 33,792 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\IIM-Cursos formacion UPCO\ICE-cursos\~WRL3646.tmp"
Wed 12 Nov 2003 66,048 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB Project work\1st term-Project work\~WRL0670.tmp"
Fri 31 May 2002 77,312 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\DB Project work\2nd term Project work\~WRL3403.tmp"
Thu 23 May 2002 60,928 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law-Doing business\Law-02-03\1§ Law-Review Exercises\~WRL0897.tmp"
Thu 29 May 2003 121,344 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\1§ E1C- Quizzes Exams\1§ E1C- Quizzes Exams\~WRL0372.tmp"
Tue 20 May 2003 176,640 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\1§ E1C- Quizzes Exams\1§ E1C- Quizzes Exams\~WRL1224.tmp"
Tue 18 Mar 2003 26,112 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR1 Countries\IR1 Countries\~WRL0797.tmp"
Mon 29 Nov 2004 445,440 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\05-Student work\~WRL1208.tmp"
Wed 5 Jun 2002 213,504 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\2§ Dcho\~WRL3468.tmp"
Mon 11 Sep 2000 122,368 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICAI\1§-2§ IOI\2§ Org exams\~WRL1457.tmp"
Thu 10 Feb 2000 532,992 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICAI\1§ IAEI\7- Robotics- Automation\~WRL0002.tmp"
Mon 24 Jan 2005 367,616 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\IIM\Espa¤ol- cursos especiales\Espa¤ol-Formularios-Info\~WRL2363.tmp"
Fri 31 Mar 2000 665,088 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\IIM\IIM-Courses\Cursos adicionales\~WRL0470.tmp"
Fri 4 Feb 2005 67,584 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\05-Student work\05-U.2 political profile\~WRL0766.tmp"
Fri 4 Feb 2005 59,392 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\05-Student work\05-U.2 political profile\~WRL1148.tmp"
Fri 4 Feb 2005 64,000 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\05-Student work\05-U.2 political profile\~WRL2296.tmp"
Fri 4 Feb 2005 63,488 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\05-Student work\05-U.2 political profile\~WRL2397.tmp"
Fri 4 Feb 2005 67,584 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\05-Student work\05-U.2 political profile\~WRL2910.tmp"
Fri 4 Feb 2005 73,216 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\1§ Law- Intl Relations\IR Ss work-projects\05-Student work\05-U.2 political profile\~WRL3067.tmp"
Tue 13 Mar 2001 30,720 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Dcho - 00-01\U. 6 Trade\~WRL0266.tmp"
Thu 23 May 2002 60,928 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Law-02-03\1§ Law-Review Exercises\~WRL0897.tmp"
Fri 31 May 2002 77,312 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Law-02-03\2nd term Project work\~WRL3403.tmp"
Fri 6 May 2005 113,152 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\Placement exams\Placement exams\Ingles\ETSI-ICAI\~WRL2786.tmp"
Sun 12 May 2002 22,528 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Law-02-03\2nd term Project work\01-02 Letters\1E3C-letters\~WRL0246.tmp"
Fri 10 May 2002 27,648 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Law-02-03\2nd term Project work\01-02 Letters\1E3C-letters\~WRL0278.tmp"
Sat 11 May 2002 21,504 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Law-02-03\2nd term Project work\01-02 Letters\1E3C-letters\~WRL1294.tmp"
Sun 12 May 2002 20,480 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Law-02-03\2nd term Project work\01-02 Letters\1E3C-letters\~WRL1461.tmp"
Thu 16 May 2002 25,088 A..H. --- "C:\Documents and Settings\Admin\Mis documentos\UPComillas-IIM HD\ICADE\Derecho\1§ Law-02-03\2nd term Project work\01-02 Letters\1E3C-letters\~WRL3285.tmp"

Finished!

Again -- this was only a scan of my window - my husband also had Administrator privileges and I think the intruder got in through his window. I don't know if I have to do this procedure in his window as well. As for warnings, the last time I ran Trend Micro yesterday evening, it did not detect it but strange things are happening that didn't used to happen like not beng able to access certain web pages which I could access before or functions that have dispappeared on my husband's window like the SEARCH function or the CHANGE USER function, I can only SHUT DOWN on his window but I can't change user.

Edited by Brainbabe, 08 June 2008 - 12:43 PM.


#12 AndyManchesta

AndyManchesta

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:11:12 AM

Posted 08 June 2008 - 03:22 PM

Thanks for the logs Brainbabe,

Let's start by clearing up the visible problems then we can see what issues remain and take it from there

Run HijackThis and choose Do A System Scan then place a check next to these entries

O2 - BHO: (no name) - {910DDC36-92C5-4D2A-B6CC-2DE257FBABFD} - C:\Documents and Settings\Virginia\Configuración local\Datos de programa\microsoft\internet explorer\5inav.dat
O3 - Toolbar: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - h*tp://www.netvenda.com/default.cab?uid=3&...mp;1s&ppd=3
O18 - Filter hijack: text/html - {0E36EB24-31C3-46E9-B176-69FFBB3B92C4} - C:\Documents and Settings\Virginia\Configuración local\Datos de programa\microsoft\internet explorer\V0.39.dat

Close ALL open IE Browser and other windows except for HijackThis and then press the Fix Checked button, you can the exit HijackThis

Next can you set Windows to show hidden files and folders.

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide extensions for known file types" option

Click Yes to confirm then OK

Set this back once you have checked for the below files by opening the same page and pressing the Restore Defaults button then click Apply and OK.

Then delete these files:

C:\WINDOWS\system32\mssrv32(2).exe
C:\WINDOWS\system32\mssrv32(3).exe
C:\WINDOWS\system32\mssrv32(4).exe
C:\WINDOWS\system32\WinCtrl32(2).dll

Also delete these below if they still exist

C:\Documents and Settings\Virginia\Configuración local\Datos de programa\microsoft\internet explorer\5inav.dat
C:\Documents and Settings\Virginia\Configuración local\Datos de programa\microsoft\internet explorer\V0.39.dat

The latest SDFix log looks fine so the rootkit has been deleted but can you run the below commands and post back the results so I can make sure the service hasnt been left behind,

Goto Start > Run > type Cmd

On the Command Prompt screen please copy and paste these commands and press Enter after each one

sc qc RXD38>%systemdrive%\check.txt
(Press Enter)
sc delete RXD38>>%systemdrive%\check.txt
(Press Enter)
sc qc RXD38>>%systemdrive%\check.txt
(Press Enter)
Then type exit and press Enter again to close the cmd screen then post the contents of the C:\Check.txt in your next reply,


Kaspersky is detecting some infected files in the Trend Micro's Quarantine folder so you could clear them to prevent other scanners finding them at a later stage, there's some instructions below for accessing the Quarantine options in Trend if needed although you would just need to click the Delete All option to remove them from the PC rather than clean any.
http://esupport.trendmicro.com/support/vie...p;id=EN-1035857

Kaspersky's also detecting infected files in the temp folder and System Restore area so its best to clear them to prevent more alerts from your AV

Download Ccleaner from Here to clear all temp files from the machine. Run the setup file and press Next, click I Agree on the Licence Agreement then Next again, click Install and then finally click Finish, Run Ccleaner and press the Run Cleaner button to remove temp files then exit Ccleaner.

To clear the System Restore points Click Start Menu > All Programs > Accessories > System Tools > SystemRestore

Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created. Then press OK to clear the temp files found in the initial scan and close Disk Cleanup


Regarding your husbands account, can you open Notepad (Start > Run > Notepad) then copy and paste the contents of the code box below into it making REGEDIT4 the top line

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoClose"=-
"NoLogOff"=-

Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your C:\Drive (it needs to be in C:\ rather than the desktop if its done using your account so that you can locate it easily again when you login to your husbands account)

Then login to your Husbands account and right click the C:\fix.reg file you saved and choose Merge and allow it to be merged into the registry, while your still in your husbands account please open the SDFix folder and right click the XP_CodecRepair.inf and choose Install again as that only removes restrictions from the current account then restart the PC and let me know if its still missing any options from his account or if your still having problems accessing certain webpages, please also post the contents of the C:\Check.txt

Let us know if there's any problems

Thanks

#13 Brainbabe

Brainbabe
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 08 June 2008 - 05:52 PM

Hi Andy,
I have done everything you ordered -- however, my husband's window still doesn't have the option of CHANGE USER, it only allows you to SHUT DOWN or RESTART the computer. When I right clicked on the XP_CodecRepair.inf and chose Install I got an Error message.


Below I include the contents of the C:\Check.txt.


[SC] OpenService FAILED 1060:
El servicio especificado no existe como servicio instalado.

[SC] OpenService FAILED 1060:
El servicio especificado no existe como servicio instalado.

[SC] OpenService FAILED 1060:
El servicio especificado no existe como servicio instalado.

I am keeping my fingers crossed that we have gotten rid of whatever had taken over the computer. Thanks for all your help and detailed instructions. I'll keep you posted if I notice anything else that's strange. :thumbsup:

Edited by Brainbabe, 08 June 2008 - 05:53 PM.


#14 AndyManchesta

AndyManchesta

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:11:12 AM

Posted 08 June 2008 - 07:43 PM

Hi Andy,
I have done everything you ordered --.


Am I really that bossy ? :thumbsup:

The results of the c:\check.txt are fine as its showing the service doesnt exist now but Im abit unsure whats causing the problem with your husbands account, it sounds like its not an Admin account if installing the .inf file gave an 'Installation Failed' error as it would do that if the user doesnt have permission to modify the registry but the reg fix you used should of also gave an error if that was the cause so Im not sure at the moment,

Can you double check that its still showing as an Admin account for your husbands profile on the Start > Control Panel > User Accounts screen, if its showing as a Limited User account then please let us know as it would be then simple to change it, Next can you log back into your husbands account and goto Start > Run > then type cmd again but this time on the cmd screen copy and paste

%systemdrive%\sdfix\apps\isadmin.exe

Press Enter and let me know if it shows Current user is an administrator or if it shows Current user is not an administrator on the cmd screen, type exit and press enter again to exit.

For the Search function on the Start Menu, try right clicking the Start Menu after you have logged into his account and choose Properties then on the Start Menu tab click Customize then the Advanced tab and place a check next to Search if its not already checked then click OK

If the Log Off button is still missing then it maybe a Policy restriction thats been added which wasn't removed by that earlier regfix such as a NoStartMenuLogOff value so could you run this batch file from his account and post back the results so I can check the reg keys

Open Notepad again (Start Menu > Run > Type notepad and press OK)

Copy and Paste the contents of the code box into Notepad
regedit.exe /e checkreg1.txt "HKEY_CURRENT_USER\Software\Policies\Microsoft"
regedit.exe /e checkreg2.txt "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft"
regedit.exe /e checkreg3.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit.exe /e checkreg4.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies"
TYPE checkreg*.txt >>Result.txt
del /q Checkreg*.txt
Notepad Result.txt

Goto File on the top bar again and choose Save As, Change the Save As Type to All Files, Name it Check.bat then save it to the desktop

Double click Check.bat and it will export the information from the registry and open that in notepad, please can you post the contents of that Report.txt back on here and let me know if the User Accounts screen and the cmd commands both show its an Admin account or if either shows its not

#15 Brainbabe

Brainbabe
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 10 June 2008 - 07:56 AM

Actually, I took away my husband's Admin status and made him a Limited user so that may have been why it didn't work. I'll try again after I making him ADMIN:
I'll let you know what happens. :flowers:

OK. I'm back . And it seems to have worked. I can now close the session without having to Shut down the entire computer.
I think everything is working now. Thanks so much!! :thumbsup:

Edited by Brainbabe, 10 June 2008 - 04:13 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users