Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Files appeared after Run Combofix


  • This topic is locked This topic is locked
49 replies to this topic

#16 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 22 February 2011 - 06:42 PM

Hi Rimma...how is it going?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


BC AdBot (Login to Remove)

 


#17 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 25 February 2011 - 07:21 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#18 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 06 March 2011 - 12:40 PM

ComboFix 11-03-05.01 - Home 03/06/2011 12:13:15.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1013.430 [GMT -5:00]
Running from: c:\users\Home\Desktop\etavaresCF.exe
AV: F-Secure Anti-Virus 2011 10.51 *Disabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}
SP: F-Secure Anti-Virus 2011 10.51 *Disabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011-03-06 )))))))))))))))))))))))))))))))
.
.
2011-03-06 17:24 . 2011-03-06 17:24 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-03-06 17:24 . 2011-03-06 17:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-05 18:17 . 2009-08-19 21:49 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2011-03-05 17:45 . 2011-03-05 18:51 -------- d-----w- C:\Netgear
2011-03-04 10:32 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BE810A1C-0111-4D66-8C83-98410C734B38}\mpengine.dll
2011-02-25 23:19 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-25 23:17 . 2009-10-09 21:56 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2011-02-25 23:17 . 2009-10-09 21:55 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2011-02-25 23:17 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2011-02-09 14:03 . 2010-10-15 13:48 1205080 ----a-w- c:\windows\system32\ntdll.dll
2011-02-09 14:03 . 2010-10-15 14:08 3602320 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-09 14:03 . 2010-10-15 14:08 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-09 14:01 . 2011-01-20 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-02-09 14:00 . 2011-01-20 16:08 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-02-09 14:00 . 2011-01-20 16:04 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-02-09 14:00 . 2011-01-20 14:11 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-02-09 14:00 . 2011-01-20 16:07 586240 ----a-w- c:\windows\system32\stobject.dll
2011-02-09 14:00 . 2011-01-20 16:07 37376 ----a-w- c:\windows\system32\cdd.dll
2011-02-09 14:00 . 2011-01-20 16:04 98816 ----a-w- c:\windows\system32\mfps.dll
2011-02-09 14:00 . 2011-01-20 16:07 258048 ----a-w- c:\windows\system32\winspool.drv
2011-02-09 14:00 . 2011-01-20 16:06 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-02-09 13:59 . 2011-01-06 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-02-09 13:53 . 2011-01-08 06:28 292352 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2011-01-08 08:47 34304 ----a-w- c:\windows\system32\atmlib.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 22:11 . 2009-10-03 07:58 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-28 15:55 . 2011-01-12 20:44 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-15 12:54 . 2010-08-31 14:53 42664 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-12-14 14:49 . 2011-01-12 20:43 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-09 03:14 . 2010-12-09 03:14 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2006-12-29 20:15 . 2007-03-09 19:51 3100672 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2006-12-29 20:15 . 2007-03-09 19:51 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2006-12-29 20:15 . 2007-03-09 19:51 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2006-12-29 20:15 . 2007-03-09 19:51 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2007-10-20 66912]
.
[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2007-10-20 22:07 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2009-07-24 5586208]
.
[HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2009-07-24 5586208]
.
[HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe"="NDSTray.exe" [BU]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-19 421888]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"PINGER"="c:\toshiba\IVP\ISM\pinger.exe" [2006-07-20 151552]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2010-10-27 201384]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2010-10-27 1655464]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 C7xxUSB;Samsung CMC7xx USB Network Driver;c:\windows\system32\DRIVERS\C7xUSBV3.sys [x]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [2010-12-20 63992]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2010-10-27 41896]
R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2010-10-27 27304]
S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2010-12-15 42664]
S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [2010-10-27 72520]
S1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2010-10-27 37832]
S1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2010-10-27 72840]
S1 fsvista;F-Secure Vista Support Driver;c:\program files\F-Secure\Anti-Virus\minifilter\fsvista.sys [2010-10-27 14504]
S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2008-10-05 20376]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2010-11-30 130728]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2026281794-1223098738-4249371228-1000Core.job
- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-12 06:33]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2026281794-1223098738-4249371228-1000UA.job
- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-12 06:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
Handler: soloresinternetrusengnum - {1B7043A7-84E1-443a-804F-20A75728892C} -
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Solo.9.0.RusNumEng - c:\users\Home\Desktop\Solo9RusEngNum\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-06 12:25
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-03-06 12:29:10
ComboFix-quarantined-files.txt 2011-03-06 17:29
.
Pre-Run: 92,849,733,632 bytes free
Post-Run: 92,528,685,056 bytes free
.
- - End Of File - - 690047448C98C8A0496BAC6362080FA8

#19 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 06 March 2011 - 12:45 PM

That what is going on - I have no access anymore for the Document and settings folder, and many others. I'm not an admin anylonger.
Someone else - see there in log-file - access is denied.
There was My Documents folder creating in Documents - I had no access to this as well, but i had deleted it.
Etavares, I did everything as you have asked - I guess you can see the run's result clearly.
Thank you for your help.

#20 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 06 March 2011 - 01:05 PM

want to show you my F-Secure log-file after run. Seems like it has found a spyware finally.



Scanning Report

06 March 2011 12:48:27 - 12:52:47

Computer name: HOME-PC
Scanning type: Virus and spyware scan
Target: System

Result: 1 malware found

TrackingCookie.2o7 (Tracking cookie)
Action: quarantined
Statistics

Scanned:
Files: 4734
Not scanned: 0
Result:
Viruses: 0
Spyware: 1
Suspicious items: 0
Riskware: 0
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
Quarantined: 1
Failed: 0
Boot Sectors:
Scanned: 0
Infected: 0
Suspicious items: 0
Disinfected: 0
Options

Definitions version:
Viruses: 2011-03-06_04
Spyware: 2011-03-06_04
Scanning Engines:
F-Secure Aquarius: 11.00.00, 2011-03-06
F-Secure Hydra: 5.02.15, 2011-03-05
F-Secure Gemini: 3.01.32, 2011-01-10
Scanning options:
Scan defined files: ANI ASP AX BAT BIN BOO CHM CMD COM CPL DLL DOC DOT DRV EML EXE HLP HTA HTM HTML HTT INF INI JOB JS JSE LNK LSP MDB MHT MPP MPT MSG MSO OCX PDF PHP PIF POT PPT RTF SCR SHS SWF SYS TD0 VBE VBS VXD WBK WMA WMV WMF WSC WSF WSH WRI XLS XLT XML ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Scan inside archives
Actions:
Viruses: Ask after scan
Spyware: Ask after scan

#21 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 06 March 2011 - 03:58 PM

Reopened as OP replied. Merged topics.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#22 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 06 March 2011 - 04:06 PM

Hello, Rimma.

Someone else - see there in log-file - access is denied.


I'm not sure what you mean by this. Can you please provide a little more description? That will help me decide the next step.

What other folders are you having issues accessing? I don't need a full list at this point, just any ones you have noticed.



Step 1

We need to run Profiles by noahdfear.

  • Download Profiles and save it to your desktop.
  • Double-click profiles.exe and post the resulting log into your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#23 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 06 March 2011 - 04:57 PM

this is a lower part of the ComboFix logfile

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)

This not a problem?

#24 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 06 March 2011 - 05:02 PM

Here we go.. - Profile report

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2026281794-1223098738-4249371228-1000
ProfileImagePath REG_EXPAND_SZ C:\Users\Home

ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\LocalService
ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\NetworkService
SystemRoot REG_SZ C:\Windows

THANKS for you time and help

#25 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 07 March 2011 - 06:03 PM

Hello, Rimma.

OK, no malicious profiles, that's good to verify given the issues.

In regards to the part of the Combofix log you identified, no that is not a problem. We'll unlock it later for housekeeping (I'm not a fan of anything being locked besides what comes locked when you install Windows) but it's a very tiny part of your registry and it's fairly common to be locked. It doesn't explain the other issues. I'm going to look at permissions for My Documents.

  • Please download SWXCACLS from this download link
  • Save it to C:\windows\. (Let me know if that path is locked.)
  • Click the Windows button in the lower left, in the box type cmd and wait (do not press Enter). When it searches, you will see cmd.exe under the Programs section. Right-click on cmd.exe and click Run as Administrator. If the Windows UAC pops up, select Yes/Allow to allow you to run the command prompt as administrator.
  • Copy the bold text below. Right-click in the command prompt window that opened after the previous step and select Paste.

    swxcacls "%USERPROFILE%\My Documents" > "%USERPROFILE%\Desktop\swxlog.txt"
  • Press Enter to run the command.
  • You'll see a new prompt pop up. Look on your desktop for swxlog.txt and attach it to your reply.
  • In the command prompt window type exit and press Enter to close it.

Please attach swxlog.txt to your reply.


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#26 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 07 March 2011 - 06:53 PM

Etavares,
It doesn't let me save your file in the C/ location. It said I have no permission ;-(
Please let me know what's next.

oNE MORE THING which I havent told you about - whenever I 'm on computer I cannot use the lower menue - I can see the windows open but when I click on that the message pups-up: WINDOWS EXPLORER IS NOR RESPONDING. and gives me 3 options 1. Close the program, 2. Restart the program, 3. Wait for program to respond. When I click on one of them system is reloading long, then for few min I can operate those buttons, like Start-menu and all those lower icons like language, sound, internet connection etc.

Thanks

#27 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 08 March 2011 - 06:59 PM

OK, in that case, please save it to your desktop and replace the command above with this instead:

"%USERPROFILE\DESKTOP\swxcacls" "%USERPROFILE%\My Documents" > "%USERPROFILE%\Desktop\swxlog.txt"

Edited by etavares, 08 March 2011 - 06:59 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#28 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 08 March 2011 - 09:58 PM

Etavares, thanks for your help.
I did it. I have saved it on Desktop. I ran CMD as an admin.
On cmd.exe black-screen I got a short message after hit the Enter - The system cannot find the path specified.
The log pops-up, but it is absolutely empty.
Then i tried to double click on SWXCACLS on desktop and hit RUN, it runs cmd screen for few seconds and disappeared. Log is empty.
Sorry.

At that point can we do anything ?

#29 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 09 March 2011 - 01:55 PM

Hello, Rimma.
OK, it could be the environment variable is also broken; or that there's a double extension on the file. This batch will look for both.

  • Please open Notepad.
  • Copy and paste the text in the box below into Notepad.
    @ECHO OFF
    @ECHO Desktop Directory > "%USERPROFILE%\Desktop\newlog.txt"
    dir "%USERPROFILE%\Desktop" >> "%USERPROFILE%\Desktop\newlog.txt"
    @ECHO HKLM Export >> "%USERPROFILE%\Desktop\newlog.txt"
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /s >> "%USERPROFILE%\Desktop\newlog.txt"
    @ECHO HKCU Export >> "%USERPROFILE%\Desktop\newlog.txt"
    reg query "HKCU\Environment" /s >> "%USERPROFILE%\Desktop\newlog.txt"
    start "%USERPROFILE%\Desktop\newlog.txt"
    del %0
    This fix is custom made for this user's computer.
  • Select File-->Save As
  • Select File as Type: All Types (*.*)
  • Save it to your desktop as fixme.bat
  • Right-click on fixme.bat on your desktop and select "Run As Administrator". If Windows asks, click YES to allow it to proceed.
  • A window will briefly pop up then close.
  • A log will open, please copy and paste it into your response.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#30 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 09 March 2011 - 05:37 PM

I got a log on my DTop with the name Newlog. Here is a content

Desktop Directory
Volume in drive C is SQ004286V02
Volume Serial Number is 5245-5F08

Directory of C:\Users\Home\Desktop

03/09/2011 05:34 PM <DIR> .
03/09/2011 05:34 PM <DIR> ..
09/01/2009 09:23 AM 1,681 CCleaner.lnk
02/02/2011 10:56 AM 195 Comcast Email.url
02/02/2011 10:56 AM 189 Comcast Security.url
09/14/2009 04:54 AM 4,916,872 driver_wifi_intel_v11.1.0.86_os2007146a.exe
03/06/2011 12:07 PM 4,281,003 etavaresCF.exe
03/08/2011 09:42 PM 26,112 etevares.doc
03/09/2011 05:33 PM 495 Fixme.bat
02/18/2011 08:11 AM 25,088 GG Front Desk Associate.doc
10/26/2009 03:59 PM <DIR> Interveiw
06/23/2009 06:43 AM 142,336 Keyboard shortcuts.doc
03/06/2011 09:41 AM 22,033,254 Krasota.pdf
08/25/2009 02:09 PM 5,440,439 Lease Agreement.pdf
03/06/2011 12:31 PM 10,856 log.txt
03/09/2011 08:05 AM 12,251 March 9th Job List[1].docx
01/19/2011 12:04 PM 1,725,015 Moving List[1].pdf
03/09/2011 05:34 PM 20 newlog.txt
03/06/2011 05:00 PM 147,832 profiles.exe
02/16/2011 10:27 PM 133,632 RKUnhookerLE.EXE
08/19/2009 04:49 PM 172 Router Login.url
03/05/2011 01:50 PM 5,886 Router_Setup.html
10/26/2009 04:09 PM <DIR> SAP FICO Reqs, Tips and conts
06/05/2009 04:26 AM <DIR> SAP GUI
06/05/2009 04:23 AM <DIR> SAP Help
03/09/2011 05:27 PM 35,840 StoppedWidows Explore.doc
03/08/2011 09:43 PM 81,920 swxcacls.exe
02/09/2011 10:13 AM 10,091,339 Teeth jpg090[1].jpg
10/18/2010 07:48 AM <DIR> Treasury and AR SAP
02/03/2010 06:35 AM <DIR> Vicenza
09/14/2009 04:58 AM <DIR> wlan
22 File(s) 49,112,427 bytes
9 Dir(s) 92,613,701,632 bytes free
HKLM Export

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
ComSpec REG_EXPAND_SZ %SystemRoot%\system32\cmd.exe
FP_NO_HOST_CHECK REG_SZ NO
OS REG_SZ Windows_NT
Path REG_EXPAND_SZ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\QuickTime\QTSystem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0
PATHEXT REG_SZ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE REG_SZ x86
TEMP REG_EXPAND_SZ %SystemRoot%\TEMP
TMP REG_EXPAND_SZ %SystemRoot%\TEMP
USERNAME REG_SZ SYSTEM
windir REG_EXPAND_SZ %SystemRoot%
PROCESSOR_LEVEL REG_SZ 6
PROCESSOR_IDENTIFIER REG_SZ x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_REVISION REG_SZ 0f06
NUMBER_OF_PROCESSORS REG_SZ 2
CLASSPATH REG_SZ .;C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
QTJAVA REG_SZ C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
PSModulePath REG_EXPAND_SZ %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\

HKCU Export

HKEY_CURRENT_USER\Environment
TEMP REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Temp
TMP REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Temp

Edited by Rimma, 09 March 2011 - 05:41 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users