Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

gromozon - and C:\windows\system32\naerkuje.bak in Debugger value HKLM\...


  • This topic is locked This topic is locked
1 reply to this topic

#1 tennscott

tennscott

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Location:Smyrna, TN
  • Local time:08:50 PM

Posted 20 May 2009 - 11:03 AM

Dear Sirs,

I have run aground with this issue. I generally am able to keep things clean and running rihgt, but last week I during my bi-weekly check using MBAM it encountered FakeBill.CourtCologne and its assocated files. This is a family computer, and I do the maintenance on it. The Virus came back twice more.

So I ran Spybot S&D, and it found several items that I dutifully deleted. I then rebooted in SAFEMODE and then reran MBAM again it found the same FakeBill.CourtCologne and its assocated files again....which I thought odd. Then ran Spybot again and more issues appeared, so I deleted them, but one was HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe with some subkeys...one being Debugger REG_SZ "C:\Windows\System32\naerkuje.bak". I tried to deletee it but it would not. It also found another directory C:\Avenger, which it deleted, and it came back so I renamed it Bvenger, and successfully deleted that directory. Reading about this I have come to find htere is an issue with the Prevx folks, but

I then followed some advice for the same problem from Tom's Hardware website in the forums for malware removal pertaining to Debugger files. ...my mistake started there.... I could not delete the registry keyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe. I followed the advice, downloaded SuperAntispyware and ATF, ran them, and SuperAntiSpyware found an instance of a rootkit called gromozon and additional unidentified Trojan. I pressed delete items found....and the application got a Runtime error, and my machine froze.

I rebooted, but since that moment I have had no icons or Startbar, and have not been able to call explorer.exe through Task Manager the only way I am able to navigate right now is through it. To complicate things further, my System Restore is off for some reason so there is no way to go back to an earlier version.

I have tried to do Windows Restore and Repair, but it says there is no HDD. ...clearly there is...However, in retrospect, there were at least two botched steps on this issue on my part. Just wondering if there is any way out at this point? I am not moving any further on this without assistance, which I gladly welcome.

Thank you very much,
Tennscott

_______________________________________________________________________________________________


DDS (Ver_09-05-14.01) - FAT32x86
Run by scott at 10:26:10.70 on Wed 05/20/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.410 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Leica Geosystems\Cyclone\ptserv32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DL_APPS\DDS\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {DE861006-70E0-A83D-E338-521631219EAB} - No File
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Realtime Monitor] "c:\progra~1\ca\etrust~1\realmon.exe" -s
mRun: [PPMemCheck] c:\progra~1\pestpa~1\PPMemCheck.exe
mRun: [PestPatrol Control Center] c:\progra~1\pestpa~1\PPControl.exe
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [FLMOFFICE4DMOUSE] c:\program files\office mouse\moffice.exe
mRun: [CookiePatrol] c:\progra~1\pestpa~1\CookiePatrol.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mExplorerRun: [2967384946] "c:\windows\system32\srvzzsys.exe"
StartupFolder: c:\docume~1\scott\startm~1\programs\startup\fileop~1.lnk - c:\program files\fileopen\plug_ins\FileOpenAPI.exe
StartupFolder: c:\documents and settings\scott\start menu\programs\startup\prf49.tmp
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://apps.thompsonmachinery.com/Citrix/MetaFrame/ICAWEB_common/en/ica32/wficat.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} - hxxp://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - hxxps://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094399072234
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145592615984
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://chill.comcast.net/AspNet2.0/App/games/channel--110341560/lc--en/room--9031f769-0e95-4254-a2a9-e5414091b81b/online/zenerchi/en/ZenerchiWeb.1.0.0.10.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} - hxxp://plugin.fileopen.com/current/FileOpen.CAB
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F9F3920B-2F24-437A-A224-D49F0004A172} - hxxp://www.net-viewer.com/dls/AutoInstall.exe
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = :\windows\syste

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\ydcu49ol.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

============= SERVICES / DRIVERS ===============

R0 Fasttrak;Fasttrak;c:\windows\system32\drivers\Fasttrak.sys [2004-2-23 70528]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-2-23 77312]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-30 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-11-10 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-30 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-30 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-30 298776]
R2 CycloneLicenseServer;Cyclone License Server;c:\program files\leica geosystems\cyclone\CyraLicense.exe [2005-12-20 626688]
R2 Leica HDS Server;Leica HDS Server;c:\program files\leica geosystems\cyclone\ptserv32.exe [2005-12-20 573559]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 SVKP;SVKP;\??\c:\windows\system32\svkp.sys --> c:\windows\system32\SVKP.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\windows\system32\drivers\dump_wmimmc.sys --> c:\windows\system32\drivers\dump_wmimmc.sys [?]
S3 kylix;kylix;\??\c:\jamilah.sys --> c:\jamilah.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
S3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);c:\windows\system32\drivers\adm8830.sys [2004-2-23 747392]
S4 GMOV;GMOV;c:\docume~1\game\locals~1\temp\gmov.exe --> c:\docume~1\game\locals~1\temp\GMOV.exe [?]

=============== Created Last 30 ================

2009-05-20 09:11 0 a------- c:\windows\system32\naerkuje.bak
2009-05-19 23:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-19 23:16 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-19 23:16 <DIR> --d----- c:\docume~1\scott\applic~1\SUPERAntiSpyware.com
2009-05-19 22:28 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-19 22:28 116,224 a------- c:\windows\system32\dllcache\OLDD7C.tmp
2009-05-19 22:28 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-05-19 22:28 23,040 a------- c:\windows\system32\dllcache\OLDD78.tmp
2009-05-19 22:28 17,408 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-05-19 22:28 17,408 a------- c:\windows\system32\dllcache\OLDD74.tmp
2009-05-19 22:28 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-05-19 22:28 27,648 a------- c:\windows\system32\dllcache\OLDD70.tmp
2009-05-19 22:28 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-05-19 22:28 4,608 a------- c:\windows\system32\dllcache\OLDD6C.tmp
2009-05-19 22:27 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-05-19 22:27 99,865 a------- c:\windows\system32\dllcache\OLDD68.tmp
2009-05-19 22:27 28,288 a------- c:\windows\system32\dllcache\xjis.nls
2009-05-19 22:27 28,288 a------- c:\windows\system32\dllcache\OLDD64.tmp
2009-05-19 22:27 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-05-19 22:27 16,970 a------- c:\windows\system32\dllcache\OLDD61.tmp
2009-05-19 22:27 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys
2009-05-19 22:27 19,455 a------- c:\windows\system32\dllcache\OLDD5D.tmp
2009-05-19 22:27 12,063 a------- c:\windows\system32\dllcache\wsiintxx.sys
2009-05-19 22:27 12,063 a------- c:\windows\system32\dllcache\OLDD59.tmp
2009-05-19 22:25 249,402 a------- c:\windows\system32\dllcache\vinwm.sys
2009-05-19 22:24 94,293 a------- c:\windows\system32\dllcache\sxports.dll
2009-05-19 22:23 17,664 a------- c:\windows\system32\dllcache\sermouse.sys
2009-05-19 22:22 83,748 a------- c:\windows\system32\dllcache\prcp.nls
2009-05-19 22:21 126,080 a------- c:\windows\system32\dllcache\OLD95C.tmp
2009-05-19 22:20 6,528 a------- c:\windows\system32\dllcache\OLD8E1.tmp
2009-05-19 22:19 5,632 a------- c:\windows\system32\dllcache\OLD844.tmp
2009-05-19 22:18 353,184 a------- c:\windows\system32\dllcache\OLD74A.tmp
2009-05-19 22:17 7,040 a------- c:\windows\system32\dllcache\OLD602.tmp
2009-05-19 22:16 131,156 a------- c:\windows\system32\dllcache\digidbp.dll
2009-05-19 22:15 37,916 a------- c:\windows\system32\dllcache\OLD3BC.tmp
2009-05-19 22:14 24,576 a------- c:\windows\system32\dllcache\OLD22E.tmp
2009-05-19 22:13 66,082 a------- c:\windows\system32\dllcache\OLD1F3.tmp
2009-05-19 22:12 97,354 a------- c:\windows\system32\dllcache\OLD76.tmp
2009-05-19 21:59 266,360 a------- c:\windows\system32\TweakUI.exe
2009-05-19 21:59 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-05-19 19:56 <DIR> --d----- c:\program files\Registry Distiller 1.03
2009-05-19 19:09 <DIR> --d----- c:\docume~1\scott\applic~1\Safer Networking
2009-05-19 19:08 <DIR> --d----- c:\program files\Safer Networking
2009-05-19 17:54 52,232 a------- c:\windows\system32\drivers\REGSYS701.SYS
2009-05-19 15:07 41,984 a------- C:\sd_ra_64.doc

==================== Find3M ====================

2009-05-19 14:16 686,142 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-05-11 09:17 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-11 09:17 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-11 09:17 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-21 09:18 986,112 a------- c:\windows\system32\dllcache\kernel32.dll
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-06 09:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-06 09:44 283,648 a------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 23:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 05:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 00:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2007-01-12 01:17 835,464 a------- c:\documents and settings\scott\SharpReader0970.zip
2007-01-12 01:05 2,243,115 a------- c:\documents and settings\scott\amphetadesk-win-v0.93.1.zip
2005-06-28 17:54 774,144 a------- c:\program files\RngInterstitial.dll
2002-12-11 17:27 73,728 a--sh--- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe

============= FINISH: 10:28:09.23 ===============

Thank you very much,
Tennscott

Attached Files


tennscott

be careful out there

BC AdBot (Login to Remove)

 


#2 tennscott

tennscott
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Location:Smyrna, TN
  • Local time:08:50 PM

Posted 20 May 2009 - 09:40 PM

Ok, after wrestling with this a little more after being informed it might be several days before someone would be able to get to me. I put on my thinking hat for a bit....the reason I could not delete the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe was a permissions issue. I opened Task Manager, and I went to File>New Task (Run)>regedt32.

I then navigated to the key, and in the left window HighLighted it. I then went to menu tab above and clicked on Edit>Permissions. This brought up the dialog box, Permissions for explorer.exe. In the top there was Everybody, then the Add / Remove buttons, then below the Permissions for Administration, and below that the Advanced button.

I clicked the advanced button. This brought up a Permissions dialog box with four tabs....in this case all I concerned myself with was the first one...Permissions. I highlighted Everybody in that display box in the tab, and then went to the button marked Edit beneath it. This brought up another dialog box called Permissions Entry for explorer.exe...the difference is it is EDITABLE. I clicked the box in the lower section marked Full Control..this will check all the other boxes, then Clicked OK, then OK again on the next dialog box, then OK one last time on the last dialog box...then highlighted the key again....and deleted it.

I then rebooted the computer. All my icons and start and task bars returned, and explorer was returned to normal functionality.

In regards to my other issues. I am cleaning them up now because i have full functionality of my machine back. This technique of changing the permissions on the registry key should work for any stubborn key value...but as everyone ALWAYS RIGHTFULLY warns here...the registry is a dangerous place to go deleting and adding things...be careful and seek counnsel if you are unsure....one can really hos etheir machine up if they are not careful.

Thanks for letting me post...I guess this is closed unless something very odd happens. The rest of this seems pretty normal.


Nite.
tennscott

be careful out there




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users